Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix iam permissions to retrieve logs from aws s3 #9798

Merged
merged 1 commit into from
Oct 12, 2022
Merged

fix: fix iam permissions to retrieve logs from aws s3 #9798

merged 1 commit into from
Oct 12, 2022

Conversation

agido-heppe
Copy link
Contributor

@agido-heppe agido-heppe commented Oct 12, 2022
edited
Loading

Signed-off-by: Lukas Heppe lukas.heppe@agido.com

Fixes #TODO

Please do not open a pull request until you have checked ALL of these:

  • Create the PR as draft .
  • Run make pre-commit -B to fix codegen and lint problems.
  • Sign-off your commits (otherwise the DCO check will fail).
  • Use a conventional commit message (otherwise the commit message check will fail).
  • "Fixes #" is in both the PR title (for release notes) and this description (to automatically link and close the issue).
  • Add unit or e2e tests. Say how you tested your changes. If you changed the UI, attach screenshots.
  • Github checks are green.
  • Once required tests have passed, mark your PR "Ready for review".

If changes were requested, and you've made them, dismiss the review to get it reviewed again.

Description

When using the IAM policy provided in the docs I couldn't view the logs via UI. By allowing the ListBucket Policy on the bucket instead of the objects within, I was able to retrieve those.

The prinicple is also described in the AWS Blog post https://aws.amazon.com/de/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/.

@agido-heppe
fix: fix iam permissions to retrieve logs from aws s3
a25a79f 
Signed-off-by: Lukas Heppe <lukas.heppe@agido.com>
terrytangyuan
terrytangyuan reviewed Oct 12, 2022
View reviewed changes
Copy link
Member

@terrytangyuan terrytangyuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the difference?

@agido-heppe
Copy link
Contributor Author

agido-heppe commented Oct 12, 2022
edited
Loading

It's the same problem as in the SO post below. You are allowed to perform actions on the resources (objects) within the bucket (marked by the wildcard *), but you are not allowed to list the bucket itself.

If you want to access the logs of some worklfow via UI, the S3 client seems to try to perform a "ListBucket" operation, but it is not allowed to do so. Therefore, this policy explicitly whitelists this action. I will try to find the respective codeline later.

https://stackoverflow.com/questions/38774798/accessdenied-for-listobjects-for-s3-bucket-when-permissions-are-s3

juliev0
juliev0 approved these changes Oct 12, 2022
View reviewed changes
Copy link
Contributor

@juliev0 juliev0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for helping to figure out what the right policy settings should be! What you've written makes sense to me.

@terrytangyuan terrytangyuan marked this pull request as ready for review October 12, 2022 23:16
@terrytangyuan terrytangyuan merged commit d4817ef into argoproj:master Oct 12, 2022
@terrytangyuan
Copy link
Member

Thanks for clarifying!

@agido-heppe agido-heppe deleted the fix-artifact-s3-permission-docs branch October 13, 2022 07:35
@agido-heppe
Copy link
Contributor Author

You are welcome! Thank you providing such nice projects 👍

juchaosong pushed a commit to juchaosong/argo-workflows that referenced this pull request Nov 3, 2022
@agido-heppe @juchaosong
fix: fix iam permissions to retrieve logs from aws s3 (argoproj#9798)
a6f5138 
Signed-off-by: juchao <juchao@coscene.io>
@sarabala1979 sarabala1979 mentioned this pull request Nov 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliev0 juliev0 juliev0 approved these changes

@terrytangyuan terrytangyuan terrytangyuan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@agido-heppe @terrytangyuan @juliev0