S3 Storage Access Error with s3:prefix Condition
thomascube opened this issue · 0 comments
thomascube commented
Description
When using the registry with the S3 storage driver, write operations fail with an s3aws: AccessDenied
error when bucket permissions are configured with an s3:prefix condition. This has worked with the 2.8.3 version of the registry but now fails with 3.0.0-alpha1
When removing the s3:prefix condition from the IAM policy, uploads works again as expected.
Reproduce
- Apply an IAM policy as show below
- Configure the S3 storage driver with a
rootdirectory
option defining the subpath access is restricted to - Push a layer to the registry (we use it as cache for buildah)
Expected behavior
No response
registry version
3.0.0-alpha1
Additional Info
IAM permission policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::example-pipeline-shared-dev",
"Sid": "AllowListBucketTest",
"Condition": {
"StringLike": {
"s3:prefix": [
"subpath-dev",
"subpath-dev/*"
]
}
}
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::example-pipeline-shared-dev/subpath-dev/*",
"Sid": "AllowGetPutObjectTest"
}
]
}
Registry logs:
-----------------------------------------------------
2024/04/09 14:01:42 DEBUG: Request s3/ListMultipartUploads Details:
---[ REQUEST POST-SIGN ]-----------------------------
GET /?prefix=subpath-dev%2Fdocker%2Fregistry%2Fv2%2Frepositories%2Fcache%2F_uploads%2F4ded1c4a-1692-4ec9-8eb7-84718b9851b0%2Fdata&uploads= HTTP/1.1
Host: example-pipeline-shared-dev.s3.eu-central-2.amazonaws.com
User-Agent: aws-sdk-go/1.48.10 (go1.21.5; linux; amd64)
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXYKJTN7DB32KHROJ/20240409/eu-central-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=6cb5146c84eaee46d75630dd2a6a5b4b770d38e02dd7c1dcfa4e0efe5a934453
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20240409T140142Z
Accept-Encoding: gzip
-----------------------------------------------------
2024/04/09 14:01:42 DEBUG: Response s3/ListMultipartUploads Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Tue, 09 Apr 2024 14:01:41 GMT
Server: AmazonS3
X-Amz-Id-2: 9gjYG/fZFmoaDBytDlWda5vYjxbjP178VErvtdVb75HojyL6CIcAOSOzcD85w0YXHdsQI3Nyqms=
X-Amz-Request-Id: RF5XS675VHHJGZRS
-----------------------------------------------------
time="2024-04-09T14:01:42.323590746Z" level=error msg="error resolving upload: s3aws: AccessDenied: Access Denied\n\tstatus code: 403, request id: RF5XS675VHHJGZRS, host id: 9gjYG/fZFmoaDBytDlWda5vYjxbjP178VErvtdVb75HojyL6CIcAOSOzcD85w0YXHdsQI3Nyqms=" go.version=go1.21.5 http.request.contenttype=application/octet-stream http.request.host=docker-registry.subpath-dev.svc.cluster.local http.request.id=16315362-cdf0-4cac-9b5f-9e58e3ec90fa http.request.method=PATCH http.request.remoteaddr="100.64.12.15:49376" http.request.uri="/v2/cache/blobs/uploads/4ded1c4a-1692-4ec9-8eb7-84718b9851b0?_state=nSqWOUnUvD1_6erjHhfx_HYKslG0RkbRF628OcKjFP57Ik5hbWUiOiJjYWNoZSIsIlVVSUQiOiI0ZGVkMWM0YS0xNjkyLTRlYzktOGViNy04NDcxOGI5ODUxYjAiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjQtMDQtMDlUMTQ6MDE6NDIuMjAzNTk2MDk2WiJ9" http.request.useragent=Buildah/1.29.1 instance.id=828e8de2-5eef-4fc0-9406-34f3bd0cbacb service=registry vars.name=cache vars.uuid=4ded1c4a-1692-4ec9-8eb7-84718b9851b0 version=3.0.0-alpha.1
time="2024-04-09T14:01:42.3236895Z" level=error msg="response completed with error" err.code=unknown err.detail="s3aws: AccessDenied: Access Denied\n\tstatus code: 403, request id: RF5XS675VHHJGZRS, host id: 9gjYG/fZFmoaDBytDlWda5vYjxbjP178VErvtdVb75HojyL6CIcAOSOzcD85w0YXHdsQI3Nyqms=" err.message="unknown error" go.version=go1.21.5 http.request.contenttype=application/octet-stream http.request.host=docker-registry.subpath-dev.svc.cluster.local http.request.id=16315362-cdf0-4cac-9b5f-9e58e3ec90fa http.request.method=PATCH http.request.remoteaddr="100.64.12.15:49376" http.request.uri="/v2/cache/blobs/uploads/4ded1c4a-1692-4ec9-8eb7-84718b9851b0?_state=nSqWOUnUvD1_6erjHhfx_HYKslG0RkbRF628OcKjFP57Ik5hbWUiOiJjYWNoZSIsIlVVSUQiOiI0ZGVkMWM0YS0xNjkyLTRlYzktOGViNy04NDcxOGI5ODUxYjAiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjQtMDQtMDlUMTQ6MDE6NDIuMjAzNTk2MDk2WiJ9" http.request.useragent=Buildah/1.29.1 http.response.contenttype=application/json http.response.duration=32.567306ms http.response.status=500 http.res...
100.64.12.15 - - [09/Apr/2024:14:01:42 +0000] "PATCH /v2/cache/blobs/uploads/4ded1c4a-1692-4ec9-8eb7-84718b9851b0?_state=nSqWOUnUvD1_6erjHhfx_HYKslG0RkbRF628OcKjFP57Ik5hbWUiOiJjYWNoZSIsIlVVSUQiOiI0ZGVkMWM0YS0xNjkyLTRlYzktOGViNy04NDcxOGI5ODUxYjAiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjQtMDQtMDlUMTQ6MDE6NDIuMjAzNTk2MDk2WiJ9 HTTP/1.1" 500 241 "" "Buildah/1.29.1"