search

aws / aws-sdk-js-v3

Modularized AWS SDK for JavaScript.
Apache License 2.0
3.05k stars 573 forks source link

AWS SDK V3 EBS snapshot result showing wrong values instead actual count #5451

Closed grootsadmin closed 10 months ago

grootsadmin commented 10 months ago

Checkboxes for prior research

Describe the bug

AWS SDK: V3.443.0

NODEJS : V18.x

CODE:

const { EC2Client, DescribeVolumesCommand, DescribeSnapshotsCommand, GetSnapshotBlockCommand, DescribeRegionsCommand } = require('@aws-sdk/client-ec2');

const region = 'us-east-1'; 
const awsProfile = '12345xxxxxx';

const ec2Client = new EC2Client({
  region,
  awsProfile
});

sync function listSnapshotIds() {
  try {
    const describeSnapshotsCommand = new DescribeSnapshotsCommand({});
    const response = await ec2Client.send(describeSnapshotsCommand);
    const snapshotIds = response.Snapshots.map(snapshot => snapshot.SnapshotId);
    console.log('Snapshot IDs:', snapshotIds);
    return snapshotIds;
  } catch (error) {
    console.error('Error listing snapshots:', error.message);
    throw error;
  } finally {
    // Close the EC2 client
    await ec2Client.destroy();
  }
}

// Example usage
(async () => {
  try {
    // List all snapshot IDs
    const snapshotIds = await listSnapshotIds();

    if (snapshotIds.length > 0) {
      // Use the snapshot IDs for further processing if needed
      console.log('Snapshot IDs:', snapshotIds);
    } else {
      console.log('No snapshots found in the account.');
    }
  } catch (error) {
    console.error('Error:', error.message);
  }
})();

showing wrong values instead of actual data

WRON output showing: Snapshot IDs: [ . . . ... 52430 more items ]

Actual result Instead: 1 snap-xxxxx

SDK version number

@aws-sdk/package-name@version, ...

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

NODEJS: V18.x

Reproduction Steps

Execute above script and confirm output

Observed Behavior

Does not collect data from given profile or sts

Expected Behavior

Show the result only the actual account snapshot count

Possible Solution

might not refer to the existing account data

Additional Information/Context

use the latest aws sdk or previous for the result

RanVaknin commented 10 months ago

Hi @grootsadmin ,

Thanks for opening the issue.

const awsProfile = '12345xxxxxx'; is not a valid client config input.

If you are trying to filter EBS snapshots based on owner account you need to specify this as a parameter to the DescribeSnapshots command itself, and not the client config input:

const { EC2Client, DescribeVolumesCommand, DescribeSnapshotsCommand, GetSnapshotBlockCommand, DescribeRegionsCommand } = require('@aws-sdk/client-ec2');

const region = 'us-east-1'; 
const awsProfile = '12345xxxxxx';

const ec2Client = new EC2Client({
  region,
-  awsProfile
});

sync function listSnapshotIds() {
  try {
-    const describeSnapshotsCommand = new DescribeSnapshotsCommand({});
+    const describeSnapshotsCommand = new DescribeSnapshotsCommand({
+        OwnerIds: [awsProfile]
+    });
    const response = await ec2Client.send(describeSnapshotsCommand);
    const snapshotIds = response.Snapshots.map(snapshot => snapshot.SnapshotId);
    console.log('Snapshot IDs:', snapshotIds);
    return snapshotIds;
  } catch (error) {
    console.error('Error listing snapshots:', error.message);
    throw error;
  } finally {
    // Close the EC2 client
    await ec2Client.destroy();
  }
}
// rest of your code...

Let me know if this helps. Thanks, Ran~

grootsadmin commented 10 months ago

@RanVaknin verified the above profile using aws cli but the same thing happened it showed all the results except my own, Also already did following 

const ec2Client = new EC2Client({
  region,
-  awsProfile
});

sync function listSnapshotIds() {
  try {
-    const describeSnapshotsCommand = new DescribeSnapshotsCommand({});
+    const describeSnapshotsCommand = new DescribeSnapshotsCommand({
+        OwnerIds: [awsProfile]
+    });

but my question is if I am using a profile then why should I set ownerid?

+    const describeSnapshotsCommand = new DescribeSnapshotsCommand({
+        OwnerIds: [awsProfile]

What if I didn't set OwnerId?

RanVaknin commented 10 months ago

Hi @grootsadmin ,

The profile you configured using the CLI is only for authentication purposes and includes a KeyID and SecretAccessKey, and not the AWS account that corresponds to that set of credentials.

The EC2 service needs to know which EBS snapshots to fetch. You can specify your own account ID, you can specify other account IDs you might have access to, or you can not specify any account IDs, but then EC2 will return a list of all the EBS snapshots your account has access to, including all the public ones (this explains why you get 52430+ results).

I hope this clears things up.

Thanks, Ran~

grootsadmin commented 10 months ago

@RanVaknin My question is if the profile is only for authenticating then why its showing another owner's data instead authenticated account?

grootsadmin commented 10 months ago

if this happened then why authenticate is required

grootsadmin commented 10 months ago

this is called data leak

RanVaknin commented 10 months ago

Hi @grootsadmin ,

I understand there might be some confusion regarding the data you're seeing. Rest assured, this is not indicative of a data leak. AWS allows users to make their EBS snapshots public, as detailed in the AWS documentation: Sharing an EBS Snapshot.

When you are not specifying an ID, the EC2 service will return all the snapshots for which you have create volume permissions for (your own, other account IDs that shared their snapshot with you, or any public snapshots. This is the intended behavior and is clearly documented:

Describes the specified EBS snapshots available to you or all of the EBS snapshots available to you.

The snapshots available to you include public snapshots, private snapshots that you own, and private snapshots owned by other AWS accounts for which you have explicit create volume permissions.

The create volume permissions fall into the following categories:

public: The owner of the snapshot granted create volume permissions for the snapshot to the all group. All AWS accounts have create volume permissions for these snapshots.

explicit: The owner of the snapshot granted create volume permissions to a specific AWS account.

implicit: An AWS account has implicit create volume permissions for all snapshots it owns.

The list of snapshots returned can be filtered by specifying snapshot IDs, snapshot owners, or AWS accounts with create volume permissions. If no options are specified, Amazon EC2 returns all snapshots for which you have create volume permissions.

You have to give the SDK credentials because the EC2 service expects to see a signed request meaning its from who you say you are. While I dont have visibility to service side logic, I can imagine that in order to identify you, it exchanges your secret Key for an Account ID, and then cross references the permissions you have.

Thanks, Ran~

github-actions[bot] commented 10 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.