Closed grootsadmin closed 10 months ago
Hi @grootsadmin ,
Thanks for opening the issue.
const awsProfile = '12345xxxxxx';
is not a valid client config input.
If you are trying to filter EBS snapshots based on owner account you need to specify this as a parameter to the DescribeSnapshots command itself, and not the client config input:
const { EC2Client, DescribeVolumesCommand, DescribeSnapshotsCommand, GetSnapshotBlockCommand, DescribeRegionsCommand } = require('@aws-sdk/client-ec2');
const region = 'us-east-1';
const awsProfile = '12345xxxxxx';
const ec2Client = new EC2Client({
region,
- awsProfile
});
sync function listSnapshotIds() {
try {
- const describeSnapshotsCommand = new DescribeSnapshotsCommand({});
+ const describeSnapshotsCommand = new DescribeSnapshotsCommand({
+ OwnerIds: [awsProfile]
+ });
const response = await ec2Client.send(describeSnapshotsCommand);
const snapshotIds = response.Snapshots.map(snapshot => snapshot.SnapshotId);
console.log('Snapshot IDs:', snapshotIds);
return snapshotIds;
} catch (error) {
console.error('Error listing snapshots:', error.message);
throw error;
} finally {
// Close the EC2 client
await ec2Client.destroy();
}
}
// rest of your code...
Let me know if this helps. Thanks, Ran~
@RanVaknin verified the above profile using aws cli but the same thing happened it showed all the results except my own, Also already did following
const ec2Client = new EC2Client({
region,
- awsProfile
});
sync function listSnapshotIds() {
try {
- const describeSnapshotsCommand = new DescribeSnapshotsCommand({});
+ const describeSnapshotsCommand = new DescribeSnapshotsCommand({
+ OwnerIds: [awsProfile]
+ });
but my question is if I am using a profile then why should I set ownerid?
+ const describeSnapshotsCommand = new DescribeSnapshotsCommand({
+ OwnerIds: [awsProfile]
What if I didn't set OwnerId?
Hi @grootsadmin ,
The profile you configured using the CLI is only for authentication purposes and includes a KeyID and SecretAccessKey, and not the AWS account that corresponds to that set of credentials.
The EC2 service needs to know which EBS snapshots to fetch. You can specify your own account ID, you can specify other account IDs you might have access to, or you can not specify any account IDs, but then EC2 will return a list of all the EBS snapshots your account has access to, including all the public ones (this explains why you get 52430+ results).
I hope this clears things up.
Thanks, Ran~
@RanVaknin My question is if the profile is only for authenticating then why its showing another owner's data instead authenticated account?
if this happened then why authenticate is required
this is called data leak
Hi @grootsadmin ,
I understand there might be some confusion regarding the data you're seeing. Rest assured, this is not indicative of a data leak. AWS allows users to make their EBS snapshots public, as detailed in the AWS documentation: Sharing an EBS Snapshot.
When you are not specifying an ID, the EC2 service will return all the snapshots for which you have create volume permissions for (your own, other account IDs that shared their snapshot with you, or any public snapshots. This is the intended behavior and is clearly documented:
Describes the specified EBS snapshots available to you or all of the EBS snapshots available to you.
The snapshots available to you include public snapshots, private snapshots that you own, and private snapshots owned by other AWS accounts for which you have explicit create volume permissions.
The create volume permissions fall into the following categories:
public: The owner of the snapshot granted create volume permissions for the snapshot to the all group. All AWS accounts have create volume permissions for these snapshots.
explicit: The owner of the snapshot granted create volume permissions to a specific AWS account.
implicit: An AWS account has implicit create volume permissions for all snapshots it owns.
The list of snapshots returned can be filtered by specifying snapshot IDs, snapshot owners, or AWS accounts with create volume permissions. If no options are specified, Amazon EC2 returns all snapshots for which you have create volume permissions.
You have to give the SDK credentials because the EC2 service expects to see a signed request meaning its from who you say you are. While I dont have visibility to service side logic, I can imagine that in order to identify you, it exchanges your secret Key for an Account ID, and then cross references the permissions you have.
Thanks, Ran~
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.
Checkboxes for prior research
Describe the bug
AWS SDK: V3.443.0
NODEJS : V18.x
CODE:
showing wrong values instead of actual data
WRON output showing: Snapshot IDs: [ . . . ... 52430 more items ]
Actual result Instead: 1 snap-xxxxx
SDK version number
@aws-sdk/package-name@version, ...
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
NODEJS: V18.x
Reproduction Steps
Execute above script and confirm output
Observed Behavior
Does not collect data from given profile or sts
Expected Behavior
Show the result only the actual account snapshot count
Possible Solution
might not refer to the existing account data
Additional Information/Context
use the latest aws sdk or previous for the result