Comments (8)
I've just deleted an earlier comment that wasn't that accurate.
In order to avoid confusion, I'll summarising it all here.
When I narrow down all the permissions that are required for the upload.
I end up with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LetMeSeeTheBucketSoICanUploadToIt",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name"
]
}
]
}
With this configuration I can even create subfolders and overwrite files in the bucket.
The takeaways are:
- All 3 actions above are required
- The bucket needs to be specified as the plain root path, the version with the wildcard at the end "/*" is not necessary
Thanks so much for looking into this and pointing me in the right direction
top work! 👍
from aws-toolkit-azure-devops.
I've been doing some further testing today.
With a fresh AWS account even, and I can reproduce the issue with a minimal subset of tasks.
The upload does actually work fine I use the root AWS account.
However, the upload fails with the "bucket name does not exist or you do not have access..." whenever I use an account other than the root one.
This limited account has the following policy attached.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1503241903611", "Action": "s3:*", "Effect": "Allow", "Resource": "arn:aws:s3:::fake-bucket-name/*" } ] }
I have also tried using a bucket policy and assigning the principal, but that's made no difference.
As with my main organisations' account, I can use "aws s3 cp" with the limited account key and secret.
from aws-toolkit-azure-devops.
Thanks for digging into this. I've repro'd with the policy shown and am investigating further.
The task performs a HEAD operation before running, which, according to the linked S3 documentation on permissions should need more permissions than your policy shows. However, even after adding ListBucket and GetBucketLocation permissions I didn't see a change in behavior. The CLI's S3 cp command presumably doesn't do a HEAD request to test bucket existence, so it works fine.
It's possible I missed something in the permissions so am continuing to look. If that doesn't yield any results, maybe there is a bug in the underlying AWS SDK for Node.js, so I'll query with that team to see if they have any ideas too.
from aws-toolkit-azure-devops.
Alright, that makes sense.
By the way, it's absolutely understandable that things like these come up on such early days.
Thanks a lot for the effort on putting this project together, it's going to make our delivery workflows so much easier moving forward :)
from aws-toolkit-azure-devops.
Following the documentation here, this is the policy I crafted for a limited account that allowed upload (only) to my test bucket, 'steve-limited' -
{ "Version": "2012-10-17", "Statement": [ { "Sid": "LetMyLimitedAccountSeeTheBucket", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Sid": "LetMyLimitedAccountUploadToTheBucket", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::steve-limited", "arn:aws:s3:::steve-limited/*" ] } ] }
Let me know if this works for you too? Using the information on the linked page, you might want to customize further.
Thanks for the comments too!
from aws-toolkit-azure-devops.
Great to hear you are up and running. Did you also manage to confirm the AWS CLI task worked when you had this policy in place?
from aws-toolkit-azure-devops.
Afraid that I've not managed to get the CLI task to work, I'll add the comments in that issue
from aws-toolkit-azure-devops.
Ok. I'll close this issue and we can move over to the CLI one.
from aws-toolkit-azure-devops.
Related Issues (20)
- AWS Service Connector
- Error when execute CLI actions using eu-south-2 region
- Pass a role ARN in runtime and use with service connection
- AWSShellScript: Keep original color when logging
- Running Terraform output command returns no result HOT 1
- S3 Upload use an endpoint
- S3 Upload Glob pattern STILL not finding files
- Azure DevOps Task 'AWS Tools for Windows PowerShell Script' - Ignore PS Module Check HOT 10
- Support for OIDC to authenticate without long lived credentials HOT 10
- Buidling code on master results in error when executing any task HOT 3
- Use s3ObjectKey or randomize S3 object name when uploading Cloudformation template
- Unable to push docker image on to amazon ECR
- AWS SSM Run Command issue with SNS Notifications
- Incompatible with IMDSv2 HOT 8
- LambdaNETCoreDeploy failing to upload to S3 with signature mismatch in version 5.8.1
- Task AWSCLI@1 fails on S3 cp command
- Ææ
- AccessDeniedException: Cross-account pass role is not allowed - but it's root account HOT 1
- ECRPushImage - Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException HOT 1
- Does node16 need to be added "Node runner update guidance for Azure Pipelines task authors"? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-toolkit-azure-devops.