S3 Bucket policy does not work with WInSCP

Advertisement

AWS
Guest

S3 Bucket policy does not work with WInSCP

H WinSCP team,
there is a bug in WinSCP which don't allow a connection for a certain S3 Bucket policy.
Here is an example:
Bucket Name: bucket
Folder structure:
a
-foldera
-folderb
b
-foldera
-folderb
c
-foldera
-folderb
The following policy allows accessing the folders s3://bucket/a and s3://bucket/b including all subfolders. The folder c is not allowed. Also the root folder can be listed.
Policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "foldera",
                        "foldera/",
                        "folderb",
                        "folderb/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "foldera*",
                        "folderb*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/foldera/*",
                "arn:aws:s3:::bucket/folderb/*"
            ]
        }
    ]
}
I think the cause of the bug is that WinSCP do not evaluate the empty "" in "StringEquals": { "s3:prefix": [ "", which allows the the root folder to be listed.
When I try to login with WinSCP to the root folder /bucket I get an Access Denied message. When I change the folder to /bucket/a it works, but it is not possible to navigate to the root folder. Changing the current folder from /bucket/a to /bucket/b works but that's a bad user experience.
I hope you understand my error report and can fix it soon.
Thanks.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
36,052
Location:
Prague, Czechia

Re: S3 Bucket policy does not work with WInSCP

WinSCP does not interpret/evaluate any bucket policy. It's the S3 server does does that.
If you still believe it's WinSCP issue, please post a full WinSCP session log file, as well as a verbose log file of any other S3 client that can access the root folder with the same credentials.

Reply with quote

AWS
Guest

Re: S3 Bucket policy does not work with WInSCP

Hi martin,
just created a test bucket for you.

S3 Bucket: winscp-bug
Access Key: AKIAU4ZTTZ7COMQD657S
Secret Key: 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
Region: eu-central-1

I created a logfile with WinSCP and attached it. In the first sessions I naviagted to /winscp-bug/allowed which works. I opened the subfolder and downloaded the txt file.
In the second session I tried to directly reach the root folder of the S3 bucket /winscp-bug which dont work!

Here is an example with aws cli:
$ export AWS_ACCESS_KEY_ID=AKIAU4ZTTZ7COMQD657S
$ export AWS_SECRET_ACCESS_KEY=yTx8W/z4v8YxdlNh2E/PFPtp9C75za7FgdMrSkHu
$ aws s3 ls s3://winscp-bug
                           PRE allowed/
                           PRE forbidden/
$ aws s3 ls s3://winscp-bug/allowed/
                           PRE sub-allowed/
2021-08-24 09:04:24          0
$ aws s3 ls s3://winscp-bug/forbidden/

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws s3 ls s3://winscp-bug/allowed/sub-allowed/
2021-08-24 09:04:59          0
2021-08-24 09:06:12         46 allowed.txt
$ aws s3 cp s3://winscp-bug/allowed/sub-allowed/allowed.txt .
download: s3://winscp-bug/allowed/sub-allowed/allowed.txt to ./allowed.txt
$ cat allowed.txt
you are allowed to list and download this file

I also opened the bucket with Cyberduck. There it is possible to access the root of the S3 bucket

winscp-bug.PNG

Reply with quote

martin
Site Admin
martin avatar

Re: S3 Bucket policy does not work with WInSCP

Thanks. It seems the difference is that when accessing the root, WinSCP does not send any prefix, while Cyberduck sends an empty prefix. I'll look into this.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
36,052
Location:
Prague, Czechia

Re: S3 Bucket policy does not work with WInSCP

I have added this issue to the tracker:
https://winscp.net/tracker/2021

Can you send me an email, so I can send you back a development version of WinSCP for testing? Please include a link back to this topic in your email. Also note in this topic that you have sent the email. Thanks.

You will find my address (if you log in) in my forum profile.

Reply with quote

Advertisement

AWS
Guest

Hi Martin,
just tested the given version and the bug is fixed. Listing in the root of a S3 bucket works now.
Can you estimate when this bugfix will be available in the main version?

I also noticed another small problem.
My example bucket was created in region eu-central-1. When I try to go one folder up in the root folder I get the expected error that this is not allowed. During this try WinSCP seems to reset the region to default us-east-1. Switching back is not possible anymore. Starting a new session fixes the problem.

winscp_region.PNG

Reply with quote

martin
Site Admin
martin avatar

Thanks for your feedback. WinSCP 5.19.3 will probably be released later this month.

For your other problem, please post session log file.

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum