Re: [Cyberduck-users] Cyberduck 7.9.2 can't access my bucket anymore
148 views
Skip to first unread message
David Kocher
May 19, 2021, 2:32:27 AM5/19/21
to Cyberduck
Can you please try if still see this issue with the current snapshot build by updating from within Cyberduck in Preferences → Update → Automatically check for updates in → Snapshot Builds.
— David
> On 19 May 2021, at 02:44, Jean-Philippe Groulx Laroche <jeanphilippe....@canopygrowth.com> wrote:
>
> Hey there.
>
> I updated to Cyberduck version 7.9.0 and as soon as I did, I started getting an access denied with "Failure to read attributes of <directory> of my S3 bucket. Using the same exact policy as before that was working on my previous Cyberduck installation.
>
> Again, with the same policy, if I reinstall version 7.6.2 or 7.8.5 everything is working fine, as always.
>
> I feel that my only solution is to downgrade but I'd like to find the issue. I tried modifying the IAM permissions used with that role to access the bucket to no avail. I tried many different configurations and the only "solution" is to give s3:* to the role, which I really don't want to.
>
> Is anyone getting the same problem? Any suggestions? Thanks!
>
> --
> --
> You received this message because you are subscribed to the Google Groups "Cyberduck" group. To post to this group, send email to cybe...@googlegroups.com
> To unsubscribe from this group, send email to cyberduck+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/cyberduck
> --
> Post bug reports and feature requests
> http://trac.cyberduck.ch/newticket
> --
> Support development
> http://cyberduck.ch/donate/
>
> ---
> You received this message because you are subscribed to the Google Groups "Cyberduck" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cyberduck+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/cyberduck/71801a9b-540f-4dcc-bbd5-59689284cc6an%40googlegroups.com.
— David
> On 19 May 2021, at 02:44, Jean-Philippe Groulx Laroche <jeanphilippe....@canopygrowth.com> wrote:
>
> Hey there.
>
> I updated to Cyberduck version 7.9.0 and as soon as I did, I started getting an access denied with "Failure to read attributes of <directory> of my S3 bucket. Using the same exact policy as before that was working on my previous Cyberduck installation.
>
> Again, with the same policy, if I reinstall version 7.6.2 or 7.8.5 everything is working fine, as always.
>
> I feel that my only solution is to downgrade but I'd like to find the issue. I tried modifying the IAM permissions used with that role to access the bucket to no avail. I tried many different configurations and the only "solution" is to give s3:* to the role, which I really don't want to.
>
> Is anyone getting the same problem? Any suggestions? Thanks!
>
> --
> --
> You received this message because you are subscribed to the Google Groups "Cyberduck" group. To post to this group, send email to cybe...@googlegroups.com
> To unsubscribe from this group, send email to cyberduck+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/cyberduck
> --
> Post bug reports and feature requests
> http://trac.cyberduck.ch/newticket
> --
> Support development
> http://cyberduck.ch/donate/
>
> ---
> You received this message because you are subscribed to the Google Groups "Cyberduck" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cyberduck+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/cyberduck/71801a9b-540f-4dcc-bbd5-59689284cc6an%40googlegroups.com.
Jean-Philippe Groulx Laroche
May 19, 2021, 7:05:00 AM5/19/21
to Cyberduck
Hi!
First of all, I'd like to point out that my title here was wrong, I'm really having problems with version 7.9.0 and NOT 7.9.2 (which doesn't exist yet).
Good call on trying the Snapshots version. I just did update but sadly this doesn't fix my current problem.
I currently have both 7.6.2 (which is working) installed and 7.9.1 (the last snapshots, which is not working, like 7.9.0).
P.S.: I also tried to see if there was a Beta build but it says that the last was 7.8.6, so no fix there too.
Jean-Philippe Groulx Laroche
May 19, 2021, 5:01:06 PM5/19/21
to Cyberduck
I think the problem comes from HeadBucket but I can't seem to find the proper solution.
Here's my current IAM policy. The bucket name and "folders" are renamed for privacy. My current usage is a user using SFTP through Cyberduck to read/write a specific "folder" inside an S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfWhatTheUserHasAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": [
"folder1/",
"folder1/subfolder1/",
"folder1/subfolder1/drop-zone*",
"folder1/subfolder2/",
"folder1/subfolder2/drop-zone*"
]
}
}
},
{
"Sid": "AllowSFTPClientToFetchObjectsWithoutItNothingWorks",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/folder1/*"
},
{
"Sid": "LimitS3ActionsToWhatTheUserHasAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:GetObject*"
],
"Resource": [
"arn:aws:s3:::bucket-name/folder1/subfolder1/drop-zone*",
"arn:aws:s3:::bucket-name/folder1/subfolder2/drop-zone*"
]
}
]
}
Jean-Philippe Groulx Laroche
May 25, 2021, 6:21:02 PM5/25/21
to Cyberduck
If it's ever useful for someone in the same situation as me or for the dev if this becomes bigger (and not isolated to only one user). All pointed to the IAM policy since giving s3:* fixed the issue. I was able to point out the exact problem (and fix!) for my policy. Here's my new policy that now works. It seems that home_folder VS home_folder/ is now considered "different". So to fix my situation, I had to specify both inside my condition to let the user reach their home folder, which was folder1.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfWhatTheUserHasAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": [
"folder1",
"folder1/",
"folder1/subfolder1/",
"folder1/subfolder1/drop-zone*",
"folder1/subfolder2/",
"folder1/subfolder2/drop-zone*"
]
}
}
},
{
"Sid": "AllowSFTPClientToFetchObjectsWithoutItNothingWorks",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/folder1/*"
},
{
"Sid": "LimitS3ActionsToWhatTheUserHasAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:GetObject*"
],
"Resource": [
"arn:aws:s3:::bucket-name/folder1/subfolder1/drop-zone*",
"arn:aws:s3:::bucket-name/folder1/subfolder2/drop-zone*"
]
}
]
}
David Kocher
May 26, 2021, 8:22:29 AM5/26/21
to Cyberduck
Can you please try snapshot build 7.9.1.34964 or later.
— David
> To view this discussion on the web visit https://groups.google.com/d/msgid/cyberduck/18e36f0f-e7e1-495d-8f88-35431c2ec621n%40googlegroups.com.
— David
Jean-Philippe Groulx Laroche
May 26, 2021, 10:33:04 AM5/26/21
to Cyberduck
Snapshot 7.9.1.34964 did fix the problem with my original IAM policy.
Thanks!
Jean-Philippe Groulx Laroche
May 26, 2021, 5:18:37 PM5/26/21
to Cyberduck
Hey David,
Sorry to bother you with that question but do you guys have a timeline of when you are expecting to release version. 7.9.1?
We currently blocked or Cyberduck users from upgrading to 7.9.0(they are blocked at 7.8.5 currently) and we'd like to prevent a potential user manually updating his Cyberduck version.
Thank you!
Reply all
Reply to author
Forward
0 new messages