You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The S3 tree view does not show the contents of the bucket when the IAM role being used has a policy that restricts the list_objects_v2 action to specific prefixes (including the root prefix).
Steps to reproduce the issue
Create two s3 buckets e.g. aws-toolkit-list-experiment-01 and aws-toolkit-list-experiment-02
Apply the following policy to the IAM role being used by the AWS Toolkit.
Open the extension's Explorer view and expand the S3 bucket tree view.
You will notice that the contents of aws-toolkit-list-experiment-01 are displayed but the contents of aws-toolkit-list-experiment-02 are not displayed.
Expected behavior
I would expect the contents of the bucket to be displayed in the tree view if at least the root prefix is allowed by the policy.
Additional context
Extension's error log
2024-04-05 07:44:25 [ERROR]: [AccessDenied: Access Denied
at constructor.extractError (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:62:10373)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21204)
at constructor.emit (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:20913)
at constructor.emitEvent (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6774)
at constructor.y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2360)
at a.runTo (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1767)
at /home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1979
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2571)
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6829)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21308)
at constructor.emit (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:20913)
at constructor.emitEvent (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6774)
at constructor.y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2360)
at a.runTo (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1767)
at /home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1979
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2571)
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6829)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21308)
at y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21089)
at IncomingMessage. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:52:41733)
at IncomingMessage.emit (node:events:525:35)
at IncomingMessage.emit (node:domain:489:12)
at endReadableNT (node:internal/streams/readable:1358:12)
at processTicksAndRejections (node:internal/process/task_queues:83:21)] {
code: 'AccessDenied',
region: 'eu-west-1',
time: 2024-04-05T07:44:25.276Z,
requestId: '3Q5MA2DXXXXXXX',
extendedRequestId: 'wipB6U4vu7Z4RrPXvQcTSQ+XXXXXX/5Ow==',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 96.84096977791725
}
I dug into the code to find the source of the error and found that the error is thrown when the list_objects_v2 action is called with the Prefix parameter set with a null value (source).
I experimented locally, and using '' as the default value for the Prefix parameter and it solves the issue.
Since I'm not so familiar with TypeScript, I wrote the snippet below to reproduce the issue in Python. I get the same error when the Prefix parameter is not set.
importboto3s3=boto3.client('s3')
output=s3.list_objects_v2(
Bucket='arn:aws:s3:::aws-toolkit-list-experiment-02",
Delimiter='/',
MaxKeys=1000,
#Prefix="" # When this line is commented out an AccessDenied error is thrown. When uncommented the list of objects is returned without error.
)
System details (run the AWS: About Toolkit command)
OS: Linux x64 5.10.209-198.812.amzn2.x86_64
Visual Studio Code extension host: 1.80.2 (I'm running code-server on a SageMaker classic notebook)
AWS Toolkit: 2.18.0-448bb26 (I built the extension from the source).
node: 16.20.1
I also tested on:
OS: MacOs Sonoma 14.4.1
Visual Studio Code version: VS Code 1.87.2
AWS Toolkit version: 2.18.0 (I built the extension from the source).
The text was updated successfully, but these errors were encountered:
Problem
The S3 tree view does not show the contents of the bucket when the IAM role being used has a policy that restricts the list_objects_v2 action to specific prefixes (including the root prefix).
Steps to reproduce the issue
Create two s3 buckets e.g.
aws-toolkit-list-experiment-01
andaws-toolkit-list-experiment-02
Apply the following policy to the IAM role being used by the AWS Toolkit.
You will notice that the contents of
aws-toolkit-list-experiment-01
are displayed but the contents ofaws-toolkit-list-experiment-02
are not displayed.Expected behavior
I would expect the contents of the bucket to be displayed in the tree view if at least the root prefix is allowed by the policy.
Additional context
Extension's error log
2024-04-05 07:44:25 [ERROR]: [AccessDenied: Access Denied
at constructor.extractError (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:62:10373)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21204)
at constructor.emit (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:20913)
at constructor.emitEvent (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6774)
at constructor.y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2360)
at a.runTo (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1767)
at /home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1979
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2571)
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6829)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21308)
at constructor.emit (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:20913)
at constructor.emitEvent (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6774)
at constructor.y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2360)
at a.runTo (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1767)
at /home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:73:1979
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:2571)
at constructor. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:6829)
at constructor.callListeners (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21308)
at y (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:59:21089)
at IncomingMessage. (/home/ec2-user/SageMaker/.xdg/data/code-server/extensions/amazonwebservices.aws-toolkit-vscode-2.18.0-448bb26/dist/src/main.js:52:41733)
at IncomingMessage.emit (node:events:525:35)
at IncomingMessage.emit (node:domain:489:12)
at endReadableNT (node:internal/streams/readable:1358:12)
at processTicksAndRejections (node:internal/process/task_queues:83:21)] {
code: 'AccessDenied',
region: 'eu-west-1',
time: 2024-04-05T07:44:25.276Z,
requestId: '3Q5MA2DXXXXXXX',
extendedRequestId: 'wipB6U4vu7Z4RrPXvQcTSQ+XXXXXX/5Ow==',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 96.84096977791725
}
I dug into the code to find the source of the error and found that the error is thrown when the
list_objects_v2
action is called with thePrefix
parameter set with anull
value (source).I experimented locally, and using
''
as the default value for thePrefix
parameter and it solves the issue.Since I'm not so familiar with TypeScript, I wrote the snippet below to reproduce the issue in Python. I get the same error when the
Prefix
parameter is not set.System details (run the
AWS: About Toolkit
command)I also tested on:
The text was updated successfully, but these errors were encountered: