Guild icon
S3Drive
Community / support / Buckets with list only permissions
Avatar
barfittc 11/13/2023 6:47 PM
I'm trying to mount a s3 bucket that has a root that only has listbucket permission. What other permissions are required to mount what is essentially a directory index?
Avatar
Tom 11/13/2023 7:59 PM
S3Drive performs a read check, trying to read some non-existent key which then shall respond with: NoSuchKey message. App as such wouldn't be usable with read permission, so we haven't really implemented support for listing only buckets. You may be better of using raw aws s3 or aws s3api commands. If you aim to mount your bucket you can do so outside of S3Drive, but in an S3Drive compatible manner, please find our guide how to configure bucket: https://docs.s3drive.app/advanced/#setup-with-rclone I am not 100% sure whether Rclone requires anything else than listing permissions though, but in principle it should work. Then you can issue: https://rclone.org/commands/rclone_mount/ manually. If you want to see the exact commands that S3Drive would've used, you can mount some other bucket from S3Drive and copy out commands from application logs (available on the about me page). What's your use case by the way? This will certainly help me to come up with something that works for you ! (edited)
Avatar
barfittc 11/14/2023 1:35 PM
Use case is replacing a VPN & a NAS for a small business. The NAS is archive data (customer/job intonation)
1:35 PM
Thank you, i'll take a look at the advanced sample guide
Avatar
Tom 11/14/2023 5:39 PM
... so in other words you're looking for a way to look at file names / directory structure without having specific read/write access to those files?
Avatar
barfittc 11/14/2023 10:57 PM
With the bucket root, yes
11:00 PM
S3 browser works fine (too complicated for the users), and I found a different "S3 drive" that I was able to access the sub directories directly, but would prefer to access the root with a read only directory list, with permissions (already works) to access the sub directories.
11:01 PM
From my understanding, I should be able to just add a missing permission to the root that allows s3drive to do it's read check with. I just need to know what permission is necessary
Avatar
Tom 11/14/2023 11:13 PM
We perform https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html on the: .s3drive_bucket_read_test key. Once you get past that check your listings should work just fine. We will add an option to get past that check in one of the next releases.
GetObject - Amazon Simple Storage Service
Retrieves objects from Amazon S3. To use GET , you must have READ access to the object. If you grant READ access to the anonymous user, you can return the object without using an authorization header.
Avatar
Tom 11/15/2023 9:42 PM
I've tested behavior in our most recent (yet unreleased) 1.6.1 version. Given the S3 permissions: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:List*" ], "Resource": "*" } ] } bucket can be set up without problems despite the read check. Upload/download naturally wouldn't work, but that's expected. (Please note that these error responses come from 1.6.1 version which is due to be released. In older version errors might be rendered differently). Drive mount does also seem to mount properly and listing works. What's your permission set and S3 provider which gets you to: "Access denied"? I would be happy to try that out. Thanks ! (edited)
Image attachment
Avatar
barfittc 11/16/2023 2:20 PM
Thank you for the detailed response. My provider is wasabi, and here's the permissions Main bucket policy, shared by all users { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUserToSeeBucketListInTheConsole", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLogging", "s3:GetBucketNotification", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketPolicy", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetLifecycleConfiguration", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions", "s3:ListMultipartUploadParts", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "AllowStatement2A", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::buckentname", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": "" } } } ] } policy for one of the sub directories { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowRootAndHomeListingOfCompanyBucket", "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::bucketname/Folder1/*" }, { "Sid": "AllowStatement2A", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucketname", "Condition": { "StringEquals": { "s3:delimiter": "/", "s3:prefix": [ "", "Folder1" ] } } }, { "Sid": "AllowListingOfUserFolder", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucketname", "Condition": { "StringLike": { "s3:prefix": "Folder1/*" } } } ] }
Tom changed the channel name: Buckets with list only permissions 11/21/2023 9:46 PM
Avatar
Tom 11/21/2023 9:48 PM
Hi, I've had chance to test Wasabi and in fact there is: AccessDenied when trying to login using your attached: Main bucket policy. We'll support this use case and it will work with Wasabi. After setting a bucket user will receive a message: Read check has failed. S3Drive functionality may not work properly., but then will be able to proceed and list files. This will be available in a next 1.6.3 release available in a couple days. (edited)
Avatar
Tom 11/22/2023 7:03 PM
Hi again, this is now partially deployed. It's released everywhere except iOS, macOS (only App Store, .dmg is released) and Windows (only Microsoft Store, .exe is released).
Exported 14 message(s)
Timezone: UTC+0