S3 Storage Access Error with s3:prefix Condition

Question

S3 Storage Access Error with s3:prefix Condition

thomascube opened this issue 6 months ago · 0 comments

Description

When using the registry with the S3 storage driver, write operations fail with an s3aws: AccessDenied error when bucket permissions are configured with an s3:prefix condition. This has worked with the 2.8.3 version of the registry but now fails with 3.0.0-alpha1

When removing the s3:prefix condition from the IAM policy, uploads works again as expected.

Reproduce

Apply an IAM policy as show below
Configure the S3 storage driver with a rootdirectory option defining the subpath access is restricted to
Push a layer to the registry (we use it as cache for buildah)

Expected behavior

No response

registry version

3.0.0-alpha1

Additional Info

IAM permission policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucketMultipartUploads",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::example-pipeline-shared-dev",
            "Sid": "AllowListBucketTest",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "subpath-dev",
                        "subpath-dev/*"
                    ]
                }
            }
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::example-pipeline-shared-dev/subpath-dev/*",
            "Sid": "AllowGetPutObjectTest"
        }
    ]
}

Registry logs:

-----------------------------------------------------
2024/04/09 14:01:42 DEBUG: Request s3/ListMultipartUploads Details:
---[ REQUEST POST-SIGN ]-----------------------------
GET /?prefix=subpath-dev%2Fdocker%2Fregistry%2Fv2%2Frepositories%2Fcache%2F_uploads%2F4ded1c4a-1692-4ec9-8eb7-84718b9851b0%2Fdata&uploads= HTTP/1.1
Host: example-pipeline-shared-dev.s3.eu-central-2.amazonaws.com
User-Agent: aws-sdk-go/1.48.10 (go1.21.5; linux; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXYKJTN7DB32KHROJ/20240409/eu-central-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=6cb5146c84eaee46d75630dd2a6a5b4b770d38e02dd7c1dcfa4e0efe5a934453
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20240409T140142Z
Accept-Encoding: gzip
-----------------------------------------------------
2024/04/09 14:01:42 DEBUG: Response s3/ListMultipartUploads Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Tue, 09 Apr 2024 14:01:41 GMT
Server: AmazonS3
X-Amz-Id-2: 9gjYG/fZFmoaDBytDlWda5vYjxbjP178VErvtdVb75HojyL6CIcAOSOzcD85w0YXHdsQI3Nyqms=
X-Amz-Request-Id: RF5XS675VHHJGZRS
-----------------------------------------------------
time="2024-04-09T14:01:42.323590746Z" level=error msg="error resolving upload: s3aws: AccessDenied: Access Denied\n\tstatus code: 403, request id: RF5XS675VHHJGZRS, host id: 9gjYG/fZFmoaDBytDlWda5vYjxbjP178VErvtdVb75HojyL6CIcAOSOzcD85w0YXHdsQI3Nyqms=" go.version=go1.21.5 http.request.contenttype=application/octet-stream http.request.host=docker-registry.subpath-dev.svc.cluster.local http.request.id=16315362-cdf0-4cac-9b5f-9e58e3ec90fa http.request.method=PATCH http.request.remoteaddr="100.64.12.15:49376" http.request.uri="/v2/cache/blobs/uploads/4ded1c4a-1692-4ec9-8eb7-84718b9851b0?_state=nSqWOUnUvD1_6erjHhfx_HYKslG0RkbRF628OcKjFP57Ik5hbWUiOiJjYWNoZSIsIlVVSUQiOiI0ZGVkMWM0YS0xNjkyLTRlYzktOGViNy04NDcxOGI5ODUxYjAiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjQtMDQtMDlUMTQ6MDE6NDIuMjAzNTk2MDk2WiJ9" http.request.useragent=Buildah/1.29.1 instance.id=828e8de2-5eef-4fc0-9406-34f3bd0cbacb service=registry vars.name=cache vars.uuid=4ded1c4a-1692-4ec9-8eb7-84718b9851b0 version=3.0.0-alpha.1
time="2024-04-09T14:01:42.3236895Z" level=error msg="response completed with error" err.code=unknown err.detail="s3aws: AccessDenied: Access Denied\n\tstatus code: 403, request id: RF5XS675VHHJGZRS, host id: 9gjYG/fZFmoaDBytDlWda5vYjxbjP178VErvtdVb75HojyL6CIcAOSOzcD85w0YXHdsQI3Nyqms=" err.message="unknown error" go.version=go1.21.5 http.request.contenttype=application/octet-stream http.request.host=docker-registry.subpath-dev.svc.cluster.local http.request.id=16315362-cdf0-4cac-9b5f-9e58e3ec90fa http.request.method=PATCH http.request.remoteaddr="100.64.12.15:49376" http.request.uri="/v2/cache/blobs/uploads/4ded1c4a-1692-4ec9-8eb7-84718b9851b0?_state=nSqWOUnUvD1_6erjHhfx_HYKslG0RkbRF628OcKjFP57Ik5hbWUiOiJjYWNoZSIsIlVVSUQiOiI0ZGVkMWM0YS0xNjkyLTRlYzktOGViNy04NDcxOGI5ODUxYjAiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjQtMDQtMDlUMTQ6MDE6NDIuMjAzNTk2MDk2WiJ9" http.request.useragent=Buildah/1.29.1 http.response.contenttype=application/json http.response.duration=32.567306ms http.response.status=500 http.res...
100.64.12.15 - - [09/Apr/2024:14:01:42 +0000] "PATCH /v2/cache/blobs/uploads/4ded1c4a-1692-4ec9-8eb7-84718b9851b0?_state=nSqWOUnUvD1_6erjHhfx_HYKslG0RkbRF628OcKjFP57Ik5hbWUiOiJjYWNoZSIsIlVVSUQiOiI0ZGVkMWM0YS0xNjkyLTRlYzktOGViNy04NDcxOGI5ODUxYjAiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjQtMDQtMDlUMTQ6MDE6NDIuMjAzNTk2MDk2WiJ9 HTTP/1.1" 500 241 "" "Buildah/1.29.1"