GovCloud Wierdness

Advertisement

mprewitt007
Joined:
Posts:
6
Location:
United States

GovCloud Wierdness

Good Day,
I downloaded the 5.14.1 8909 build developer version in case the region detection issue in teh tracker was my problem, but I don't think it is.
I have a set of S3 credentials for an S3 bucket in us-gov-west1 that I can test with filezilla pro and cloudberry, so I know the credentials and path are good.
IN Winscp, I get

Access Denied
Extra Details: RequestId: 5D738AFD9ADB305B, HostId: Xd4q7BJ5QoMNXEqBje7FDQU/bvHEYx21fe4TIyXXpaIBJNT1zsB3xJ28lJ5TMILmv1Wed7HylUY=
Connection failed.

With the credentials that work elsewhere. I have another credential that works in both places. These both go to the same bucket, same URL, very confused.
any ideas?
  • winscpfunctionalconnection.log (18.68 KB, Private file)
Description: WORKING LOGIN SAME BUCKET
  • winscpfailedlogin.log (8.7 KB, Private file)
Description: FAILED LOGIN

Reply with quote

Advertisement

mprewitt007
Joined:
Posts:
6
Location:
United States

GovCloud Wierdness

So, yeah, that is the host. Recall I am testing 2 access key/secret to teh same bucket.
What I found through some experimentation yesterday is that WinSCP doesn't seem to be handling the bucketlist ACL's properly.
I had to grant the key I wanted to use greater ACL than is required in Filezilla or cloudberry to be able to use the credential in winSCP.
I had to grant it full get bucketlist for the entire masterbucket, I could not limit it to a sub-bucket, which is a requirement for our use case.
So at the moment, winSCP is great of you are the admin of the bucket, but if I want to share a sub-folder of that bucket, it doesn't properly access the sub-buckets, it gets the access denied error because of the malformed api call its doing.
so we'll have to keep using the other tools til this is fixed, which sucks as I really prefer winscp.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
29,791
Location:
Prague, Czechia

Re: GovCloud Wierdness

Do you mean that you cannot connect with WinSCP using credentials that do not have permissions to list buckets, even if you explicitly specify the bucket name in Remote directory?

Can you post a log file for that?

Reply with quote

mprewitt007
Joined:
Posts:
6
Location:
United States

GovCloud Wierdness

Yes to your question, and I thought I uploaded teh log in my first post.
is there a different log I need to upload?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
29,791
Location:
Prague, Czechia

Re: GovCloud Wierdness

OK, sorry. You are right. Though can you post log files again, this time with sensitive information replaced in a consistent way?

For example in winscpfailedlogin.log, there's:
Host name: replaced.s3-us-gov-west-1.amazonaws.com (Port: 443)
While in the winscpfunctionalconnection.log, there's:
Host name: s3-us-gov-west-1.amazonaws.com (Port: 443)

What may suggest that you have different session settings for these.

But winscpfunctionalconnection.log later shows:
Doing DNS lookup on replaced.s3-us-gov-west-1.amazonaws.com...

With that I'm confused what was the real hostname that you have used for that session.
So can you obfuscate the changes in both logs the same way? So that I can see when the difference is real and not only due to a different obfuscation?

Reply with quote

mprewitt007
Joined:
Posts:
6
Location:
United States

GovCloud Wierdness

It is consistent. We use a 'bucketname' which I don't want disclosed, so I (in both log files) replaced the bucketname with replaced.
Thus in the one log, it is doing DNS of bucketname.s3-us-gov-1.. and in the other you aren't using the bucket for some reason.
They are configured the exact same as far as the WinSCP configuration, the only difference is the user/key.
This is part of why I am confused. I literally cloned the working session and only replaced it with a new access key & secret, and it broke. As I said, the other tools we use don't have an issue, but when I edited the permissions on the 'new' key, I had to grant a whole bunch of extra permissions around bucket acl's to get it to work with winSCP.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
29,791
Location:
Prague, Czechia

Re: GovCloud Wierdness

mprewitt007 wrote:

It is consistent. We use a 'bucketname' which I don't want disclosed, so I (in both log files) replaced the bucketname with replaced.
Thus in the one log, it is doing DNS of bucketname.s3-us-gov-1.. and in the other you aren't using the bucket for some reason.
Host name: entry in the log shows exactly, what you configured in WinSCP login dialog. Please double check your settings.

Reply with quote

mprewitt007
Joined:
Posts:
6
Location:
United States

GovCloud Wierdness

you're talking about the hostname?
Yes, they are identical.
both use s3-us-gov-west-1.amazonaws.com

in the log where you see the hostname with the bucket is where it goes to try to access the bucket, as it adds the bucketname in front of the hostname when it tries to access it.
I see this consistently in the logs, so I would assume this is part of how it accesses S3.
Since I haven't looked at the source code, I can't confirm this,but the behavior is consistent in any working s3 access that it hits both the hostname as entered on the main screen and bucket.hostname for bucket access.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
29,791
Location:
Prague, Czechia

Re: GovCloud Wierdness

mprewitt007 wrote:

in the log where you see the hostname with the bucket is where it goes to try to access the bucket, as it adds the bucketname in front of the hostname when it tries to access it.
No. Once again, The Host name: entry in the header of the log shows exactly, what you configured on WinSCP login dialog. So if there's replaced.s3-us-gov-west-1.amazonaws.com, it's because you have configured replaced.s3-us-gov-west-1.amazonaws.com in WinSCP sessions. The replaced. part was not added by WinSCP. Can you please repeat the test?

Reply with quote

mprewitt007
Joined:
Posts:
6
Location:
United States

GovCloud Wierdness

so, I am looking at it, and there is >NO< difference on the hostname between teh 2 accounts.
yet in the logs, one has the bucket and one does not.

If I clone the one that does not, the bucket shows up when it does DNS lookups.

I'd be happy to do a screen share to show you this, or if you give me a private location, I cand send you a screen shot of teh 2 showing you that the 2 accounts are identical in the front UI, but the directories differe in taht one is / and the other remote directory is <replaced>/ingest
so it appears to have something to do with the remote directory difference. / is the parent directory, /replaced/ is the sublevel and ingest is the 3rd level.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
29,791
Location:
Prague, Czechia

Re: GovCloud Wierdness

Thanks.
I have sent you an email with a debug version of WinSCP to the address you have used to register on this forum.
Please send me screenshots and separate trace logs from the debug version for both sessions.

Reply with quote

Advertisement

You can post new topics in this forum