Comments (19)
To work around this issue you'll need to add a bucket policy to allow the IAM user to list the bucket.
This is in addition to the policy to allow get acccess on the contents of the bucket
Example:
{
"Sid": "Stmt1412808555554",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::some-bucket",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890123:user/ansible-iam"
]
}
}
from ansible-modules-core.
Thanks @Ladret , yes I'm aware of it.
By "The operation succeeds when list bucket rights are provided to that IAM user.", I meant the same.
from ansible-modules-core.
@gmpuran could you do me a favor and format this issue like seen here: https://raw.githubusercontent.com/ansible/ansible/devel/ISSUE_TEMPLATE.md
I think I understand your issue but want to be 100% clear before working on a patch
from ansible-modules-core.
Here you go. As the issue quite old, haven't got a chance to grab version details, but have provided detailed description of the issue.
Issue Type:
Bug Report
Ansible Version:
Environment:
N/A
Summary:
While getting an s3 object using ansible s3 module, explicit S3:ListBucket permission is required in IAM, for GET operation to be successful. This additional listing permission should not be required as one can restrict a particular IAM user to specific file or folder in S3 bucket.
Steps To Reproduce:
-
Create S3 bucket - ansible-s3
-
Create folder test/ and a file inside that folder test.txt
-
GET operation command will be:
Simple GET operation
- s3: bucket=ansible-s3 object=/test/test.txt dest=/usr/local/test.txt mode=get
-
If IAM policy is kept as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1426510138000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::ansible-s3/test"
]
},
{
"Sid": "Stmt1426510160000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::ansible-s3/test/*"
]
}
]
}
- Above GET operation will fail, unless S3:ListBucket operation access is provided to this IAM user.
Expected Results:
The GET operation should succeed without requiring S3:ListBucket rights.
Actual Results:
The GET operation fails unless IAM user has S3:ListBucket rights.
from ansible-modules-core.
To me this bug shouln't be closed: the s3:ListBucket
is still required.
from ansible-modules-core.
this bug has not been closed, that was another ticket
from ansible-modules-core.
+1 just ran into this.
from ansible-modules-core.
I just ran into this issue after updating from 1.9.1 to 1.9.4. The role wasn't changed, but the issue suddenly started occurring.
from ansible-modules-core.
@juziel I doubt this was caused by updating, more likely the issue lies in a change made to permissions pertaining to AWS user/bucket you're trying to access. The work around is to allow the list permissions to S3, not ideal.
from ansible-modules-core.
Sorry it has taken very long to address this, looking into it now
from ansible-modules-core.
Pull request with a fix is here: #3248
from ansible-modules-core.
@ansible, ping. This issue is still waiting on your response.
click here for bot help
from ansible-modules-core.
@ansible, ping. This issue is still waiting on your response.
click here for bot help
from ansible-modules-core.
@ansible, ping. This issue is still waiting on your response.
click here for bot help
from ansible-modules-core.
@ansible, ping. This issue is still waiting on your response.
click here for bot help
from ansible-modules-core.
@ansible, ping. This issue is still waiting on your response.
click here for bot help
from ansible-modules-core.
@ansible, ping. This issue is still waiting on your response.
click here for bot help
from ansible-modules-core.
This repository has been locked. All new issues and pull requests should be filed in https://github.com/ansible/ansible
Please read through the repomerge page in the dev guide. The guide contains links to tools which automatically move your issue or pull request to the ansible/ansible repo.
from ansible-modules-core.
This issue was migrated to ansible/ansible#30234
from ansible-modules-core.
Related Issues (20)
- .. HOT 1
- azure_rm_deployment: InvalidClientIdError: (invalid_request) AADSTS90002: Requested tenant identifier 'xxxxxx.com'' is not valid. HOT 1
- 'dict object' has no attribute 'stdout' HOT 1
- unarchive does not work for .zip file on ansible 2.2.1 on windows Environment HOT 1
- async polling doesnt work HOT 1
- ansible_s3 does not support delegate_to HOT 2
- vyos_config has timeout after some unknown number of commands HOT 1
- Include_vars in free-form mode requires a file extension, breaking reverse compatibility HOT 1
- pushing jinja2 configurations on to network devices HOT 1
- 'list' object has no attribute 'items'\r\n" HOT 3
- Cisco Nexus N3K - QinQ issue HOT 1
- "msg": "failed to create temporary content file: timed out". Can someone help me on this. HOT 1
- Uri module modifies + sign to spaces HOT 1
- template error while templating string: unexpected ']' After Dictionary Combine HOT 1
- Yum install with Corrupt repo endless loop HOT 1
- ios_command failure for cisco with rc=1 HOT 2
- nxos_interface module does not work HOT 1
- ios_config backup not working on windows shared drive HOT 2
- ansible_module_azure_rm_virtualmachine incompatible with Python3 HOT 1
- Path parameter should work like file copy module HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-modules-core.