Thanks again for your feedback.
- martin
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- aws
Hi martin,
thanks for the new version. I just tested it succesfully. Thanks for fixing the bugs :)
thanks for the new version. I just tested it succesfully. Thanks for fixing the bugs :)
- martin
I was able to reproduce the problem:
https://winscp.net/tracker/2027
I have emailed you a new build for testing.
https://winscp.net/tracker/2027
I have emailed you a new build for testing.
- martin
Sorry, I've missed that. Can you please restore my access to the test bucket?
- Aws
I did ;)
- martin
Thanks for your feedback. WinSCP 5.19.3 will probably be released later this month.
For your other problem, please post session log file.
For your other problem, please post session log file.
- AWS
Hi Martin,
just tested the given version and the bug is fixed. Listing in the root of a S3 bucket works now.
Can you estimate when this bugfix will be available in the main version?
I also noticed another small problem.
My example bucket was created in region eu-central-1. When I try to go one folder up in the root folder I get the expected error that this is not allowed. During this try WinSCP seems to reset the region to default us-east-1. Switching back is not possible anymore. Starting a new session fixes the problem.
just tested the given version and the bug is fixed. Listing in the root of a S3 bucket works now.
Can you estimate when this bugfix will be available in the main version?
I also noticed another small problem.
My example bucket was created in region eu-central-1. When I try to go one folder up in the root folder I get the expected error that this is not allowed. During this try WinSCP seems to reset the region to default us-east-1. Switching back is not possible anymore. Starting a new session fixes the problem.
- AWS
Hi,
just send you an email
just send you an email
- martin
Re: S3 Bucket policy does not work with WInSCP
I have added this issue to the tracker:
https://winscp.net/tracker/2021
Can you send me an email, so I can send you back a development version of WinSCP for testing? Please include a link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.
https://winscp.net/tracker/2021
Can you send me an email, so I can send you back a development version of WinSCP for testing? Please include a link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.
You will find my address (if you log in) in my forum profile.
- martin
Re: S3 Bucket policy does not work with WInSCP
Thanks. It seems the difference is that when accessing the root, WinSCP does not send any prefix, while Cyberduck sends an empty prefix. I'll look into this.
- AWS
Re: S3 Bucket policy does not work with WInSCP
Hi martin,
just created a test bucket for you.
S3 Bucket: winscp-bug
Access Key: AKIAU4ZTTZ7COMQD657S
Secret Key: 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
Region: eu-central-1
I created a logfile with WinSCP and attached it. In the first sessions I naviagted to /winscp-bug/allowed which works. I opened the subfolder and downloaded the txt file.
In the second session I tried to directly reach the root folder of the S3 bucket /winscp-bug which dont work!
Here is an example with aws cli:
I also opened the bucket with Cyberduck. There it is possible to access the root of the S3 bucket
just created a test bucket for you.
S3 Bucket: winscp-bug
Access Key: AKIAU4ZTTZ7COMQD657S
Secret Key: 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
Region: eu-central-1
I created a logfile with WinSCP and attached it. In the first sessions I naviagted to /winscp-bug/allowed which works. I opened the subfolder and downloaded the txt file.
In the second session I tried to directly reach the root folder of the S3 bucket /winscp-bug which dont work!
Here is an example with aws cli:
$ export AWS_ACCESS_KEY_ID=AKIAU4ZTTZ7COMQD657S
$ export AWS_SECRET_ACCESS_KEY=yTx8W/z4v8YxdlNh2E/PFPtp9C75za7FgdMrSkHu
$ aws s3 ls s3://winscp-bug
PRE allowed/
PRE forbidden/
$ aws s3 ls s3://winscp-bug/allowed/
PRE sub-allowed/
2021-08-24 09:04:24 0
$ aws s3 ls s3://winscp-bug/forbidden/
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws s3 ls s3://winscp-bug/allowed/sub-allowed/
2021-08-24 09:04:59 0
2021-08-24 09:06:12 46 allowed.txt
$ aws s3 cp s3://winscp-bug/allowed/sub-allowed/allowed.txt .
download: s3://winscp-bug/allowed/sub-allowed/allowed.txt to ./allowed.txt
$ cat allowed.txt
you are allowed to list and download this file
I also opened the bucket with Cyberduck. There it is possible to access the root of the S3 bucket
- martin
Re: S3 Bucket policy does not work with WInSCP
WinSCP does not interpret/evaluate any bucket policy. It's the S3 server does does that.
If you still believe it's WinSCP issue, please post a full WinSCP session log file, as well as a verbose log file of any other S3 client that can access the root folder with the same credentials.
If you still believe it's WinSCP issue, please post a full WinSCP session log file, as well as a verbose log file of any other S3 client that can access the root folder with the same credentials.
- AWS
S3 Bucket policy does not work with WInSCP
H WinSCP team,
there is a bug in WinSCP which don't allow a connection for a certain S3 Bucket policy.
Here is an example:
Bucket Name:
Folder structure:
The following policy allows accessing the folders
Policy:
I think the cause of the bug is that WinSCP do not evaluate the empty
When I try to login with WinSCP to the root folder
I hope you understand my error report and can fix it soon.
Thanks.
there is a bug in WinSCP which don't allow a connection for a certain S3 Bucket policy.
Here is an example:
Bucket Name:
bucket
Folder structure:
a
-foldera
-folderb
b
-foldera
-folderb
c
-foldera
-folderb
The following policy allows accessing the folders
s3://bucket/a and s3://bucket/b including all subfolders. The folder c is not allowed. Also the root folder can be listed.
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"",
"foldera",
"foldera/",
"folderb",
"folderb/"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"foldera*",
"folderb*"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket/foldera/*",
"arn:aws:s3:::bucket/folderb/*"
]
}
]
}I think the cause of the bug is that WinSCP do not evaluate the empty
"" in "StringEquals": { "s3:prefix": [ "", which allows the the root folder to be listed.
When I try to login with WinSCP to the root folder
/bucket I get an Access Denied message. When I change the folder to /bucket/a it works, but it is not possible to navigate to the root folder. Changing the current folder from /bucket/a to /bucket/b works but that's a bad user experience.
I hope you understand my error report and can fix it soon.
Thanks.