Users can see buckets they haven't been granted permissions for

[seankross]

What would have to be done so that this doesn't happen?

six_user_create("amy")

ℹ Added policy UserInfo to amy
✔ Key pair created for amy
ℹ UserName: amy
...

aws_bucket_add_user("dasl-project1", "amy", permissions = "read")

✔ amy now has read access to bucket dasl-project1

aws_bucket_permissions("dasl-project1")

# A tibble: 3 × 4
  user  permissions policy_read                  policy_admin
  <chr> <chr>       <chr>                        <chr>       
1 amy   read        S3ReadOnlyAccessDaslProject1 NA          
2 scott admin       NA                           NA          
3 sean  admin       NA                           NA          

> Sys.setenv(
+   AWS_ACCESS_KEY_ID = "AmysKey",
+   AWS_SECRET_ACCESS_KEY = "AmysSecret",
+   AWS_REGION = "us-west-2"
+ )

aws_user_current()

[1] "amy"

aws_buckets()

# A tibble: 2 × 8
  bucket_name   key   uri                       size type   owner etag  last_modified
  <chr>         <chr> <chr>              <fs::bytes> <chr>  <chr> <chr> <dttm>       
1 dasl-project1 ""    s3://dasl-project1           0 bucket ""    ""    NA           
2 dasl-project2 ""    s3://dasl-project2           0 bucket ""    ""    NA        

[sckott]

Thanks for reporting this.

I pushed changes to s3-iam branch. I assume that's the branch you were on. Pull down and try again.

[seankross]

@sckott I just ran through this again and now when I run aws_buckets() as amy I can't see any buckets. Ideally I would like to be able to see only the buckets I have any permissions for.

> library(sixtyfour)
> aws_user_current()
[1] "amy"
> aws_buckets()
Error: AccessDenied (HTTP 403). Access Denied

On branch s3-iam

[sckott]

thanks.

so I think this was fixed with the change in https://github.com/getwilds/sixtyfour/issues/66 -

the fact that aws_buckets doesn't work I think is correct. that is, the list all buckets command would require the user knowing about any buckets they don't have access to, and there isn't a way to list buckets only those you have access to

[seankross]

@sckott for now this is the expected behavior, right?: https://github.com/getwilds/sixtyfour/issues/61#issuecomment-2036198142

But in the future it would be cool if one could see only the buckets they have access to.

[sckott]

@seankross

for now this is the expected behavior, right?

yes

But in the future it would be cool if one could see only the buckets they have access to.

From my research so far I don't think it's possible. A user either has permissions to list buckets or not - there doesn't appear to be partial permissions just for the buckets they have acess to. But maybe there's a hack around it