Setting bucket ACLs is not optional and requires bucket ACL which is not preferred mechanism per AWS #110
Comments
sp3nx0r
changed the title
nhandler
added a commit
to nhandler/drone-s3
that referenced
this issue
Mar 28, 2023
ACLs in S3 predate IAM. They are also no longer recommended. Instead, users are encouraged to rely on IAM and Bucket Policies to manage access. Amazon is even going to start disabling ACLs on new buckets (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/ensure-object-ownership.html).Users are also generally encouraged to set `BucketOwnerEnforced` on existing buckets to disable ACLs. When ACLs are disabled on a bucket, attempts to call `s3:PutObject` while specifying an `acl` parameter will cause an `AccessControlListNotSupported` error from AWS specifying that `The bucket does not allow ACLs`. This change updates the plugin so that there is no longer a default value for the ACL. The plugin will now only pass an ACL to `s3:PutObject` if one is explicitly specified by the user.
rajatharanganath
added a commit
that referenced
this issue
Sep 1, 2023
Don't Specify an ACL by Default (Fixes #110)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
code ref
Our upload pattern would prefer to not use ACLs at all for our S3 uploads, instead using relying on IAM policies at the bucket level. However, in the plugin the
Accessvalue which stores the ACL to use is a mandatory field (defaulting toprivate). Since theprivateACL is a good "secure by default" setting, having askipvalue or similar to not pass theAccessvalue when performing thePutObjectwould be great.This also lines up with AWS' advice on how to set permissions/ACLs https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#CannedACL and https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
The text was updated successfully, but these errors were encountered: