S3 Bucket policy does not work with WInSCP :: Support Forum

AWS Guest

S3 Bucket policy does not work with WInSCP

2021-08-23 06:13

H WinSCP team,
there is a bug in WinSCP which don't allow a connection for a certain S3 Bucket policy.
Here is an example:
Bucket Name: bucket
Folder structure:

a
-foldera
-folderb
b
-foldera
-folderb
c
-foldera
-folderb

The following policy allows accessing the folders s3://bucket/a and s3://bucket/b including all subfolders. The folder c is not allowed. Also the root folder can be listed.
Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "foldera",
                        "foldera/",
                        "folderb",
                        "folderb/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "foldera*",
                        "folderb*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/foldera/*",
                "arn:aws:s3:::bucket/folderb/*"
            ]
        }
    ]
}

I think the cause of the bug is that WinSCP do not evaluate the empty "" in "StringEquals": { "s3:prefix": [ "", which allows the the root folder to be listed.
When I try to login with WinSCP to the root folder /bucket I get an Access Denied message. When I change the folder to /bucket/a it works, but it is not possible to navigate to the root folder. Changing the current folder from /bucket/a to /bucket/b works but that's a bad user experience.
I hope you understand my error report and can fix it soon.
Thanks.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,440
Location:: Prague, Czechia

Re: S3 Bucket policy does not work with WInSCP

2021-08-23

WinSCP does not interpret/evaluate any bucket policy. It's the S3 server does does that.
If you still believe it's WinSCP issue, please post a full WinSCP session log file, as well as a verbose log file of any other S3 client that can access the root folder with the same credentials.

Reply with quote

AWS Guest

Re: S3 Bucket policy does not work with WInSCP

2021-08-24 09:43

Hi martin,
just created a test bucket for you.

S3 Bucket: winscp-bug
Access Key: AKIAU4ZTTZ7COMQD657S
Secret Key: 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
Region: eu-central-1

I created a logfile with WinSCP and attached it. In the first sessions I naviagted to /winscp-bug/allowed which works. I opened the subfolder and downloaded the txt file.
In the second session I tried to directly reach the root folder of the S3 bucket /winscp-bug which dont work!

Here is an example with aws cli:

$ export AWS_ACCESS_KEY_ID=AKIAU4ZTTZ7COMQD657S
$ export AWS_SECRET_ACCESS_KEY=yTx8W/z4v8YxdlNh2E/PFPtp9C75za7FgdMrSkHu
$ aws s3 ls s3://winscp-bug
                           PRE allowed/
                           PRE forbidden/
$ aws s3 ls s3://winscp-bug/allowed/
                           PRE sub-allowed/
2021-08-24 09:04:24          0
$ aws s3 ls s3://winscp-bug/forbidden/

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws s3 ls s3://winscp-bug/allowed/sub-allowed/
2021-08-24 09:04:59          0
2021-08-24 09:06:12         46 allowed.txt
$ aws s3 cp s3://winscp-bug/allowed/sub-allowed/allowed.txt .
download: s3://winscp-bug/allowed/sub-allowed/allowed.txt to ./allowed.txt
$ cat allowed.txt
you are allowed to list and download this file

I also opened the bucket with Cyberduck. There it is possible to access the root of the S3 bucket

winscp-bug.PNG (28.34 KB)

winscp-bug.log (45.96 KB)

Reply with quote

martin◆ Site Admin

Re: S3 Bucket policy does not work with WInSCP

2021-08-27

Thanks. It seems the difference is that when accessing the root, WinSCP does not send any prefix, while Cyberduck sends an empty prefix. I'll look into this.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,440
Location:: Prague, Czechia

Re: S3 Bucket policy does not work with WInSCP

2021-09-01

I have added this issue to the tracker:
https://winscp.net/tracker/2021

Can you send me an email, so I can send you back a development version of WinSCP for testing? Please include a link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.

Reply with quote

AWS Guest

2021-09-02 13:56

Hi,
just send you an email

Reply with quote

AWS Guest

2021-09-06 07:03

Hi Martin,
just tested the given version and the bug is fixed. Listing in the root of a S3 bucket works now.
Can you estimate when this bugfix will be available in the main version?

I also noticed another small problem.
My example bucket was created in region eu-central-1. When I try to go one folder up in the root folder I get the expected error that this is not allowed. During this try WinSCP seems to reset the region to default us-east-1. Switching back is not possible anymore. Starting a new session fixes the problem.