search

mweagle / Sparta

go microservices, powered by AWS Lambda
https://gosparta.io
MIT License
717 stars 48 forks source link

Access Denied in first example #172

Closed marcoslopesbritto closed 4 years ago

marcoslopesbritto commented 4 years ago

Dear Sparta,

I downloaded the framework today and a following de first example using my personal credentials. Everything is fine, but I can't access my bucket? This is impossible, because I create this bucket and I have a S3FullAccess policy. Did you know what happens? I past above my debug logs:

/Users/marcosbritto/go/code/src/bitbucket.org/marcoslbritto/SpartTest/SpartTest provision --s3Bucket gostei --level debug #gosetup INFO[0000] ════════════════════════════════════════════════ INFO[0000] ╔═╗╔═╗╔═╗╦═╗╔╦╗╔═╗ Version : 1.15.0 INFO[0000] ╚═╗╠═╝╠═╣╠╦╝ ║ ╠═╣ SHA : 0bb47c1 INFO[0000] ╚═╝╩ ╩ ╩╩╚═ ╩ ╩ ╩ Go : go1.14.3 INFO[0000] ════════════════════════════════════════════════ INFO[0000] Service: MyHelloWorldStack-marcos-lopes@intuitivecare-com LinkFlags= Option=provision UTC="2020-05-19T22:41:11Z" INFO[0000] ════════════════════════════════════════════════ DEBU[0000] Provision validation results optionsProvision="{gostei false}" validateErr="" DEBU[0000] Lambda collision map CollisionMap="map[Hello World:1]" DEBU[0000] AWS SDK Info Name=aws-sdk-go Version=1.31.1 INFO[0000] Provisioning service BuildID=440564428617810f6a342cf7f724d7cc458ccd39 CodePipelineTrigger= InPlaceUpdates=false NOOP=false Tags= INFO[0000] Verifying IAM Lambda execution roles
INFO[0000] IAM roles verified Count=1 INFO[0000] DEBUG: Request s3/GetBucketVersioning Details: ---[ REQUEST POST-SIGN ]----------------------------- GET /?versioning= HTTP/1.1 Host: gostei.s3.amazonaws.com User-Agent: aws-sdk-go/1.31.1 (go1.14.3; darwin; amd64) Authorization: AWS4-HMAC-SHA256 Credential=/20200519/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature= X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 X-Amz-Date: 20200519T224111Z Accept-Encoding: gzip

DEBU[0000] AWS Request Method=GET Operation=GetBucketVersioning Path="/{Bucket}?versioning" Payload="{\n Bucket: \"gostei\"\n}" Service=s3 INFO[0001] DEBUG: Response s3/GetBucketVersioning Details: ---[ RESPONSE ]-------------------------------------- HTTP/1.1 403 Forbidden Transfer-Encoding: chunked Content-Type: application/xml Date: Tue, 19 May 2020 22:41:11 GMT Server: AmazonS3 X-Amz-Id-2: 1C3flssPGbHDUNpT+hucGGlaomKQMOf0UtP7kpyG1rCLCy/Ls+/J7W4fDyoHUNORk/6fRrWRAEY= X-Amz-Request-Id: 5F221DB780AF23E8

INFO[0001] DEBUG: Validate Response s3/GetBucketVersioning failed, attempt 0/3, error AccessDenied: Access Denied status code: 403, request id: 5F221DB780AF23E8, host id: 1C3flssPGbHDUNpT+hucGGlaomKQMOf0UtP7kpyG1rCLCy/Ls+/J7W4fDyoHUNORk/6fRrWRAEY= INFO[0001] Invoking rollback functions
ERRO[0001] Failed to provision service: AccessDenied: Access Denied status code: 403, request id: 5F221DB780AF23E8, host id: 1C3flssPGbHDUNpT+hucGGlaomKQMOf0UtP7kpyG1rCLCy/Ls+/J7W4fDyoHUNORk/6fRrWRAEY=

marcoslopesbritto commented 4 years ago

I try to access bucket using Curl and I have access:

curl gostei.s3.amazonaws.com `<?xml version="1.0" encoding="UTF-8"?>

gostei1000false` I think something is wrong. Can you help me?
mweagle commented 4 years ago

Yep - this is a bug I’ll fix. In the short term I think you can work around it by adding the ‘GetBucketVersioning’ IAM privilege to your Role.

marcoslopesbritto commented 4 years ago

Dear Mweagle, I thought about your tip to work around the bug, but I have S3FullAccess permission. So I think the problem (bug) can't be worked around.

mweagle commented 4 years ago

Hmm...ok, let me repro and work up a fix. Thanks for checking.

mweagle commented 4 years ago

@marcoslopesbritto - it looks like it's using the default region of us-east-1. Is that the region that your bucket is created in? You can use the env.AWS_REGION property (ref: http://gosparta.io/reference/faq/) to change the default region. LMK if that helps.

marcoslopesbritto commented 4 years ago

HI @mweagle, yes I created my bucket in us-east-1 and I used env.AWS_REGION on my environment varibles in Goland (JetBrains). image

mweagle commented 4 years ago

I'm unfortunately not able to reproduce this. I created a new bucket in us-east-1 and ran the following command:

go run main.go provision --s3Bucket MY-us-east-2020-BUCKET --level debug

and was able to successfully provision. I also checked my AWS SDK version and am running aws-sdk-go/1.31.3.

Can you try installing the AWS CLI tools and running:

aws s3api get-bucket-versioning --bucket gostei --debug

If that works you should see a final response as in:

MainThread - awscli.formatter - DEBUG - RequestId: FA9E9E59078AEC49
{
    "Status": "Enabled"
}
marcoslopesbritto commented 4 years ago

@mweagle , I have changed the user (from my user to another one) and everything run ok. The differences between them it's my user has mfa function enable and another no. So, I thing this is the problem. Thank you so much.