Closed Bug 1284492 Opened 8 years ago Closed 8 years ago

Taskcluster cannot use sccache with temporary s3 credentials

Categories

(Taskcluster :: UI, defect)

Product:
Taskcluster
Component:
UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: garndt, Assigned: ted)

References

Details

Temporary s3 credentials do not allow operations to set the ACL of an object that it uploads.  This is an intentional choice to prevent escalation of permissions.

To work around this, sccache could be updated to try putting an object with that ACL and upon failure, try uploading without it.
Blocks: 1187257
We discussed this on IRC, and decided that since the S3 buckets were configured to have public GET access via policy, sccache does not need to set it. I removed the setting of the ACL header from the sccache2 code and pushed it to try and it seems to be able to write to the bucket without issue on the TC Windows builds:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e94a641026eb7ec98a55b902c1786a762a876702

Let's just say this will be fixed by bug 1286934. We should document our sccache setup somewhere--we'll want to ensure that any future sccache buckets are created with the right policy.
Depends on: 1286934
We fixed this by making sccache2 not try to set the ACL, and by having the S3 buckets set public access by policy. jonas documented the bucket setup here:
https://mana.mozilla.org/wiki/display/TAS/General+Purpose+S3+Buckets
Assignee: garndt → ted
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Component: Tools → UI and Tools
You need to log in before you can comment on or make changes to this bug.