Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 Tree View Not Displaying Bucket Contents with Specific IAM Role Policies #4643

Open
avsthiago opened this issue Apr 5, 2024 · 0 comments
Open

S3 Tree View Not Displaying Bucket Contents with Specific IAM Role Policies #4643

avsthiago opened this issue Apr 5, 2024 · 0 comments
Labels
bug We can reproduce the issue and confirmed it is a bug. service:s3

Comments

@avsthiago
Copy link

Problem

The S3 tree view does not show the contents of the bucket when the IAM role being used has a policy that restricts the list_objects_v2 action to specific prefixes (including the root prefix).

Steps to reproduce the issue

  1. Create two s3 buckets e.g. aws-toolkit-list-experiment-01 and aws-toolkit-list-experiment-02

  2. Apply the following policy to the IAM role being used by the AWS Toolkit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListAllBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowListAccessEx1",
            "Effect": "Allow",
            "Action": "s3:ListBucket*",
            "Resource": "arn:aws:s3:::aws-toolkit-list-experiment-01"
        },
        {
            "Sid": "AllowListAccessEx2",
            "Effect": "Allow",
            "Action": "s3:ListBucket*",
            "Resource": "arn:aws:s3:::aws-toolkit-list-experiment-02",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        ""
                    ]
                }
            }
        }
    ]
}
  1. Open the extension's Explorer view and expand the S3 bucket tree view.

You will notice that the contents of aws-toolkit-list-experiment-01 are displayed but the contents of aws-toolkit-list-experiment-02 are not displayed.

issue-aws-toolkit

Expected behavior

I would expect the contents of the bucket to be displayed in the tree view if at least the root prefix is allowed by the policy.

Additional context

Extension's error log

2024-04-05 07:44:25 [ERROR]: [AccessDenied: Access Denied
at constructor.extractError (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:62:10373)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21204)
at constructor.emit (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:20913)
at constructor.emitEvent (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6774)
at constructor.y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2360)
at a.runTo (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1767)
at /home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1979
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2571)
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6829)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21308)
at constructor.emit (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:20913)
at constructor.emitEvent (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6774)
at constructor.y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2360)
at a.runTo (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1767)
at /home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1979
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2571)
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6829)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21308)
at y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21089)
at IncomingMessage. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:52:41733)
at IncomingMessage.emit (node:events:525:35)
at IncomingMessage.emit (node:domain:489:12)
at endReadableNT (node:internal/streams/readable:1358:12)
at processTicksAndRejections (node:internal/process/task_queues:83:21)] {
code: 'AccessDenied',
region: 'eu-west-1',
time: 2024-04-05T07:44:25.276Z,
requestId: '3Q5MA2DXXXXXXX',
extendedRequestId: 'wipB6U4vu7Z4RrPXvQcTSQ+XXXXXX/5Ow==',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 96.84096977791725
}

I dug into the code to find the source of the error and found that the error is thrown when the list_objects_v2 action is called with the Prefix parameter set with a null value (source).

I experimented locally, and using '' as the default value for the Prefix parameter and it solves the issue.

Since I'm not so familiar with TypeScript, I wrote the snippet below to reproduce the issue in Python. I get the same error when the Prefix parameter is not set.

import boto3

s3 = boto3.client('s3')
output = s3.list_objects_v2(
    Bucket='arn:aws:s3:::aws-toolkit-list-experiment-02",
    Delimiter='/',
    MaxKeys=1000,
    #Prefix="" # When this line is commented out an AccessDenied error is thrown. When uncommented the list of objects is returned without error.
)

System details (run the AWS: About Toolkit command)

  • OS: Linux x64 5.10.209-198.812.amzn2.x86_64
  • Visual Studio Code extension host: 1.80.2 (I'm running code-server on a SageMaker classic notebook)
  • AWS Toolkit: 2.18.0-448bb26 (I built the extension from the source).
  • node: 16.20.1

I also tested on:

  • OS: MacOs Sonoma 14.4.1
  • Visual Studio Code version: VS Code 1.87.2
  • AWS Toolkit version: 2.18.0 (I built the extension from the source).
@avsthiago avsthiago added the bug We can reproduce the issue and confirmed it is a bug. label Apr 5, 2024
@avsthiago avsthiago mentioned this issue Apr 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug We can reproduce the issue and confirmed it is a bug. service:s3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@avsthiago @justinmk3