Access Denied Error when tried to create the bucket using Openstack v3

[oberai07]

Hi

I am using the OpenStack Keystone v3 sample to connect to OpenStack Swift storage to create the buckets and objects. I have used the s3proxy and configured the properties file to start the server and the connection was successful. However, due to some reasons, I am unable to create the bucket and objects. Could you please let me know what could be the reason?

ubuntu@kma001:~$ ./s3proxy --properties swift-s3proxy.conf 
Dec 18, 2023 11:24:40 AM com.google.inject.assistedinject.FactoryProvider2 isValidForOptimizedAssistedInject
WARNING: AssistedInject factory org.jclouds.openstack.swift.v1.blobstore.config.SwiftBlobStoreContextModule$Factory will be slow because class org.jclouds.openstack.swift.v1.blobstore.RegionScopedSwiftBlobStore has assisted Provider dependencies or injects the Injector. Stop injecting @Assisted Provider<T> (instead use @Assisted T) or Injector to speed things up. (It will be a ~6500% speed bump!)  The exact offending deps are: [Key[type=com.google.inject.Injector, annotation=[none]]@org.jclouds.openstack.swift.v1.blobstore.RegionScopedSwiftBlobStore.<init>()[0]]
[s3proxy] I 12-18 11:24:42.675 main o.g.s.CrossOriginResourceSharing:100 |::] CORS allowed origins: []
[s3proxy] I 12-18 11:24:42.681 main o.g.s.CrossOriginResourceSharing:101 |::] CORS allowed methods: []
[s3proxy] I 12-18 11:24:42.682 main o.g.s.CrossOriginResourceSharing:102 |::] CORS allowed headers: []
[s3proxy] I 12-18 11:24:42.682 main o.g.s.CrossOriginResourceSharing:103 |::] CORS allow credentials: 
[s3proxy] I 12-18 11:24:43.698 main o.g.s.o.e.jetty.server.Server:384 |::] jetty-11.0.16; built: 2023-08-25T19:43:30.438Z; git: bedff458c4dd1a716d59e17b8cb0d2042eeab291; jvm 11.0.21+9-post-Ubuntu-0ubuntu120.04
[s3proxy] I 12-18 11:24:43.876 main o.g.s.o.e.j.s.AbstractConnector:376 |::] Started ServerConnector@58a4a74d{HTTP/1.1, (http/1.1)}{127.0.0.1:8080}
[s3proxy] I 12-18 11:24:43.926 main o.g.s.o.e.jetty.server.Server:439 |::] Started Server@39fa8ad2{STARTING}[11.0.16,sto=0] @6374ms

This is the error i am getting while creating the bucket:

ubuntu@kma001:~$ sh bucketcreation.sh 
<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Forbidden</Message><RequestId>4442587FB7D0A2F9</RequestId></Error>

PFB properties file:

ubuntu@kma001:~$ cat swift-s3proxy.conf 
s3proxy.endpoint=http://127.0.0.1:8080
s3proxy.authorization=aws-v2-or-v4
s3proxy.identity=local-identity
s3proxy.credential=local-credential
jclouds.provider=openstack-swift
jclouds.endpoint=http://vctrlip:5000/v3/
jclouds.regions=RegionOne
jclouds.region=RegionOne
jclouds.identity=default:XXX
jclouds.keystone.version=3
jclouds.keystone.scope=project:service
jclouds.keystone.project_domain_name=default
jclouds.credential=XXXXXX

[gaul]

What does bucketcreation.sh do? I recommend simplifying this using a known good client like AWS CLI. You can also use the transient provider to simplify this since openstack could be throwing AccessDenied as well. Try a few things and report back.

[oberai07]

What does bucketcreation.sh do? I recommend simplifying this using a known good client like AWS CLI. You can also use the transient provider to simplify this since openstack could be throwing AccessDenied as well. Try a few things and report back.

PFB , content of bucketcreation script

cat bucketcreation.sh

curl --request PUT http://localhost:8080/s3proxytest

If i use AWS CLI, I need to provide access key and secret key to access the s3 storage and currently, I don't have the same. Is there any other way to generate the access and secret key with s3proxy? So that I can use them with the AWS CLI utility.

[Wamy-Dev]

I am having auth issues when using the local filesystem, so no underlying issues regarding auth.

When set to aws-v2-or-v4 and identity and credential are set, presigned urls work as well as non-presigned urls. Meaning no auth required to access even though identity and credentials are set.

When set to aws-v4 and identity and credential are set any presigned urls fail with 403 forbidden while non-presigned/non authorized can download files. This is exactly opposite of the point of authorization.

When set to aws-v2 it is the same as aws-v2-or-v4. Anonymous access as well as Authorized access are allowed.

Any idea @gaul ? I have been tinkering with it for awhile and even build a new executable from the git about 20 minutes ago. Still no dice. This is on ubuntu 20 by the way. My current solution using rclone deals with the exact same problem as they use GofakeS3.