search

aws / aws-sdk-js-v3

Modularized AWS SDK for JavaScript.
Apache License 2.0
3.06k stars 574 forks source link

copyObject throws Access Denied if source key is not present #6523

Open marcindyelp opened 4 days ago

marcindyelp commented 4 days ago

Checkboxes for prior research

Describe the bug

To perform copyObject according to aws docs, you need s3:GetObject and s3:PutObject permissions. That works fine with only those permissions. Problem: If source key (file) does not exist in the bucket, API throws misleading error: AccessDenied: User: arn:aws:sts:#########r is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my_bucket because no identity-based policy allows the s3:ListBucket action Obviously s3:ListBucket is not needed. Error thrown should be 'key not present, check source...' or anything like that.

Regression Issue

SDK version number

@aws-sdk/client-s3@.3.658.1, CopyObjectCommand

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

node 18.19.0

Reproduction Steps

delete the source file

Observed Behavior

AccessDenied: User: arn:aws:sts:#########r is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::my_bucket because no identity-based policy allows the s3:ListBucket action

Expected Behavior

Obviously s3:ListBucket is not needed. Error thrown should be 'key not present, check source...' or anything like that.

Possible Solution

change the error/response from API to user

Additional Information/Context

No response

aBurmeseDev commented 3 days ago

Hi @marcindyelp - thanks for reaching out.

This is something I need to confirm with S3 team but in one S3 docs, it's mentioned that you need s3:ListAllMyBuckets permission to perform CopyObject operation. See here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/copy-object.html#CopyingObjectsExamples

When you initiate a CopyObject operation, S3 needs to verify the existence of the source object in the source bucket. To do this, it needs to list the contents of the source bucket, which requires the s3:ListBucket permission. If the source object doesn't exist, S3 still needs to perform this listing operation to determine that the object doesn't exist and it will return an error if the necessary permission (s3:ListBucket) is not granted.

Best, John