Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Thanks again for your feedback.
aws

Hi martin,
thanks for the new version. I just tested it succesfully. Thanks for fixing the bugs :)
martin

Sorry, I've missed that. Can you please restore my access to the test bucket?
Aws

I did ;)
martin

Thanks for your feedback. WinSCP 5.19.3 will probably be released later this month.

For your other problem, please post session log file.
AWS

Hi Martin,
just tested the given version and the bug is fixed. Listing in the root of a S3 bucket works now.
Can you estimate when this bugfix will be available in the main version?

I also noticed another small problem.
My example bucket was created in region eu-central-1. When I try to go one folder up in the root folder I get the expected error that this is not allowed. During this try WinSCP seems to reset the region to default us-east-1. Switching back is not possible anymore. Starting a new session fixes the problem.
AWS

Hi,
just send you an email
martin

Re: S3 Bucket policy does not work with WInSCP

I have added this issue to the tracker:
https://winscp.net/tracker/2021

Can you send me an email, so I can send you back a development version of WinSCP for testing? Please include a link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.
martin

Re: S3 Bucket policy does not work with WInSCP

Thanks. It seems the difference is that when accessing the root, WinSCP does not send any prefix, while Cyberduck sends an empty prefix. I'll look into this.
AWS

Re: S3 Bucket policy does not work with WInSCP

Hi martin,
just created a test bucket for you.

S3 Bucket: winscp-bug
Access Key: AKIAU4ZTTZ7COMQD657S
Secret Key: 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
Region: eu-central-1

I created a logfile with WinSCP and attached it. In the first sessions I naviagted to /winscp-bug/allowed which works. I opened the subfolder and downloaded the txt file.
In the second session I tried to directly reach the root folder of the S3 bucket /winscp-bug which dont work!

Here is an example with aws cli:
$ export AWS_ACCESS_KEY_ID=AKIAU4ZTTZ7COMQD657S

$ export AWS_SECRET_ACCESS_KEY=yTx8W/z4v8YxdlNh2E/PFPtp9C75za7FgdMrSkHu
$ aws s3 ls s3://winscp-bug
                           PRE allowed/
                           PRE forbidden/
$ aws s3 ls s3://winscp-bug/allowed/
                           PRE sub-allowed/
2021-08-24 09:04:24          0
$ aws s3 ls s3://winscp-bug/forbidden/

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws s3 ls s3://winscp-bug/allowed/sub-allowed/
2021-08-24 09:04:59          0
2021-08-24 09:06:12         46 allowed.txt
$ aws s3 cp s3://winscp-bug/allowed/sub-allowed/allowed.txt .
download: s3://winscp-bug/allowed/sub-allowed/allowed.txt to ./allowed.txt
$ cat allowed.txt
you are allowed to list and download this file


I also opened the bucket with Cyberduck. There it is possible to access the root of the S3 bucket
martin

Re: S3 Bucket policy does not work with WInSCP

WinSCP does not interpret/evaluate any bucket policy. It's the S3 server does does that.
If you still believe it's WinSCP issue, please post a full WinSCP session log file, as well as a verbose log file of any other S3 client that can access the root folder with the same credentials.
AWS

S3 Bucket policy does not work with WInSCP

H WinSCP team,
there is a bug in WinSCP which don't allow a connection for a certain S3 Bucket policy.
Here is an example:
Bucket Name: bucket
Folder structure:
a

-foldera
-folderb
b
-foldera
-folderb
c
-foldera
-folderb

The following policy allows accessing the folders s3://bucket/a and s3://bucket/b including all subfolders. The folder c is not allowed. Also the root folder can be listed.
Policy:
{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "foldera",
                        "foldera/",
                        "folderb",
                        "folderb/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "foldera*",
                        "folderb*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/foldera/*",
                "arn:aws:s3:::bucket/folderb/*"
            ]
        }
    ]
}

I think the cause of the bug is that WinSCP do not evaluate the empty "" in "StringEquals": { "s3:prefix": [ "", which allows the the root folder to be listed.
When I try to login with WinSCP to the root folder /bucket I get an Access Denied message. When I change the folder to /bucket/a it works, but it is not possible to navigate to the root folder. Changing the current folder from /bucket/a to /bucket/b works but that's a bad user experience.
I hope you understand my error report and can fix it soon.
Thanks.