search

node-red / node-red-web-nodes

A collection of node-red nodes aimed at web services
Apache License 2.0
226 stars 156 forks source link

S3 on node-red-node-aws will not upload if account cannot access root directory of bucket #294

Open joshuacurtiss opened 2 years ago

joshuacurtiss commented 2 years ago

Which node are you reporting an issue on?

node-red-node-aws

What are the steps to reproduce?

Configure AWS connection to a bucket where credentials do not have list/read/write access to the root directory of the bucket.

my-bucket - Credentials cannot list/read/write my-bucket/accounts/my-account/ - Have list/read/write access

What happens?

Upon deploying changes, debugger receives error "AWS S3 error: AccessDenied: Access Denied", and then any messages passed to the node will not write objects to any path in the bucket.

What do you expect to happen?

Expected that the node will still attempt to write objects to a path in the bucket and only return "Access Denied" error if indeed the credentials don't have access to the specific path. Currently, however, the node will not function at all if the root path is inaccessible.

Please tell us about your environment:

HenryckeBSchenberk commented 1 year ago

Any news? I have the same problem but can't figrout how configure the permissions whiout "fullAccessS3" to do upload works.

jeanmichel-nwsb commented 3 months ago

You should be able to give ListBucket permission limited to the root folder as well to the folders you want to provide access to Assuming bucket my-bucket with 2 "folder-key" private/ and shared/ You can have a policy statement such as 

        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "",
                        "shared/*"
                    ]
                }
            }

While you can argue that it shouldn't be necessary to provide the ListBucket permission, and you are right, users can perfectly PutObject and GetObject without it, it is not uncommon that many software requires the above. One of the reason is that without the ListBucket permission, AWS will always return a 403 Forbidden if you try to access an not existing key instead of 404 Not found. This is for security reason as if you can't list the bucket content, you shouldn't be allowed to "probe" for file existance. With ListBucket permission you will clearly be returned a 404 for non existing key and 403 for permission errors.