1. Home
  2. Categories
  3. Support
  4. S3 Store with deny public policy set fails

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

S3 Store with deny public policy set fails

  • W

    Hi Support,

    We are using the s3 package store for one of our nuget feeds with the AWS S3 "Block all public access" enabled on the bucket. When we upload an nuget package to the feed we get an error when the block public access is enabled. And we have confirmed the Proget s3 package store configuration Make public is not enabled. After investigation we found that Proget s3 Extension is trying to add the object with the following ACL enabled:

    {
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "READ"
}

    This will get blocked by the AWS S3 public rule Block public access to buckets and objects granted through new access control lists (ACLs)
    This above policy would allow any authenticated AWS account access to the bucket and is not what we want to set for the object. Any possibility we can get someone to look at that extension to change the behavior?
    Thanks,
    Adam

    0
  • atripp
    inedo-engineer

    Hi Adam,

    I'm not so familiar with the intricacies of ACL; they are quite complicated to me... so hopefully you can help me to understand, and I'll be able to then explain a change request 😅

    We try to keep our code for this really simple. We have a property called CannedACL that works like this:

    private S3CannedACL CannedACL => this.MakePublic 
    ? S3CannedACL.PublicRead 
    : S3CannedACL.AuthenticatedRead;

    This property references an S3CannedACL, which is defined by AWS, and MakePublic is what you check in the UI. MakePublic sets PublicRead, if not AuthenticatedRead.

    That CannedACL is then used when creating objects:

    await client.PutObjectAsync(new PutObjectRequest
{
    BucketName = this.outer.BucketName,
    Key = this.key,
    StorageClass = this.outer.StorageClass,
    CannedACL = this.outer.CannedACL,
    ServerSideEncryptionMethod = this.outer.EncryptionMethod,
    AutoCloseStream = false,
    InputStream = this.inner
}).ConfigureAwait(false);

    So I think you're asking is, to use a different CannedACL? Perhaps for MakePublic we could not using a checkbox, but a drop down list? What do you think the values ought to be?

    0
  • W

    Hi atripp,
    Thanks for the fast response!
    I believe the canned acl should not be set when the public check box is not selected.
    You can specify S3CannedACL.Private but ideally I think you would not alter the default object ACL. Details on those ACL fields can be found here: https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/S3/TS3CannedACL.html

    AWS mentions here https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html that objects will default to owner full control (private acl)

    "
*When you create a bucket or an object, Amazon S3 creates a default ACL that grants the resource owner full control over the resource.*
"

    And also here is their warning about using AuthenticatedUsers:

    "
*Authenticated Users group – Represented by http://acs.amazonaws.com/groups/global/AuthenticatedUsers.

This group represents all AWS accounts. Access permission to this group allows any AWS account to access the resource. However, all requests must be signed (authenticated).

Warning
When you grant access to the Authenticated Users group any AWS authenticated user in the world can access your resource.*
"

    -https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html

    Thanks,
    -Adam

    0
  • atripp
    inedo-engineer

    Ah, thank you very much for the additional information. So, then it seems like setting it to AuthenticatedUsers is a bug. OK, that makes sense. So, I changed it.

    Can you try it and let me know if it's going to work?

    Instructions on installation of new extension: https://docs.inedo.com/docs/proget/administration/extensions#manual-install

    Pre-release of AWS Extension: https://proget.inedo.com/feeds/PrereleaseExtensions/inedox/AWS/1.0.4-RC.3

    Then, if it's ok, we can release it.

    Thanks.
    Alana

    0
  • W

    Hey atripp,
    That worked for us! Was able to set the option in AWS S3 to Block public access to buckets and objects granted through new access control lists (ACLs). Thanks for getting that fix out so quick.

    -Adam

    0
  • apxltd
    inedo-engineer

    Aaand, published :)

    Appreciate verifying & helping us finding this bug.

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation