Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    S3 Store with deny public policy set fails

    Scheduled Pinned Locked Moved Support
    6 Posts 3 Posters 15 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wsah_6160
      last edited by

      Hi Support,

      We are using the s3 package store for one of our nuget feeds with the AWS S3 "Block all public access" enabled on the bucket. When we upload an nuget package to the feed we get an error when the block public access is enabled. And we have confirmed the Proget s3 package store configuration Make public is not enabled. After investigation we found that Proget s3 Extension is trying to add the object with the following ACL enabled:

      {
      "Grantee": {
      "Type": "Group",
      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
      },
      "Permission": "READ"
      }
      

      This will get blocked by the AWS S3 public rule Block public access to buckets and objects granted through new access control lists (ACLs)
      This above policy would allow any authenticated AWS account access to the bucket and is not what we want to set for the object. Any possibility we can get someone to look at that extension to change the behavior?
      Thanks,
      Adam

      1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer
        last edited by

        Hi Adam,

        I'm not so familiar with the intricacies of ACL; they are quite complicated to me... so hopefully you can help me to understand, and I'll be able to then explain a change request 😅

        We try to keep our code for this really simple. We have a property called CannedACL that works like this:

        private S3CannedACL CannedACL => this.MakePublic 
            ? S3CannedACL.PublicRead 
            : S3CannedACL.AuthenticatedRead;
        

        This property references an S3CannedACL, which is defined by AWS, and MakePublic is what you check in the UI. MakePublic sets PublicRead, if not AuthenticatedRead.

        That CannedACL is then used when creating objects:

        await client.PutObjectAsync(new PutObjectRequest
        {
            BucketName = this.outer.BucketName,
            Key = this.key,
            StorageClass = this.outer.StorageClass,
            CannedACL = this.outer.CannedACL,
            ServerSideEncryptionMethod = this.outer.EncryptionMethod,
            AutoCloseStream = false,
            InputStream = this.inner
        }).ConfigureAwait(false);
        

        So I think you're asking is, to use a different CannedACL? Perhaps for MakePublic we could not using a checkbox, but a drop down list? What do you think the values ought to be?

        1 Reply Last reply Reply Quote 0
        • W Offline
          wsah_6160
          last edited by

          Hi atripp,
          Thanks for the fast response!
          I believe the canned acl should not be set when the public check box is not selected.
          You can specify S3CannedACL.Private but ideally I think you would not alter the default object ACL. Details on those ACL fields can be found here: https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/S3/TS3CannedACL.html

          AWS mentions here https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html that objects will default to owner full control (private acl)

          "
          *When you create a bucket or an object, Amazon S3 creates a default ACL that grants the resource owner full control over the resource.*
          " 
          

          And also here is their warning about using AuthenticatedUsers:

          "
          *Authenticated Users group – Represented by http://acs.amazonaws.com/groups/global/AuthenticatedUsers.
          
          This group represents all AWS accounts. Access permission to this group allows any AWS account to access the resource. However, all requests must be signed (authenticated).
          
          Warning
          When you grant access to the Authenticated Users group any AWS authenticated user in the world can access your resource.*
          "
          

          -https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html

          Thanks,
          -Adam

          1 Reply Last reply Reply Quote 0
          • atrippA Offline
            atripp inedo-engineer
            last edited by

            Ah, thank you very much for the additional information. So, then it seems like setting it to AuthenticatedUsers is a bug. OK, that makes sense. So, I changed it.

            Can you try it and let me know if it's going to work?

            Instructions on installation of new extension: https://docs.inedo.com/docs/proget/administration/extensions#manual-install

            Pre-release of AWS Extension: https://proget.inedo.com/feeds/PrereleaseExtensions/inedox/AWS/1.0.4-RC.3

            Then, if it's ok, we can release it.

            Thanks.
            Alana

            1 Reply Last reply Reply Quote 0
            • W Offline
              wsah_6160
              last edited by

              Hey atripp,
              That worked for us! Was able to set the option in AWS S3 to Block public access to buckets and objects granted through new access control lists (ACLs). Thanks for getting that fix out so quick.

              -Adam

              1 Reply Last reply Reply Quote 0
              • apxltdA Offline
                apxltd inedo-engineer
                last edited by

                Aaand, published :)

                Appreciate verifying & helping us finding this bug.

                Founder and CEO, Inedo

                1 Reply Last reply Reply Quote 0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better 💗

                Register Login
                • 1 / 1
                • First post
                  Last post
                Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation