Closed Bug 971555 Opened 8 years ago Closed 8 years ago

Add s3:PutObjectAcl access to shared cache buckets from build slaves

Categories

(Release Engineering :: General, defect)

All
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: glandium, Assigned: rail)

References

Details

So it turns out that to make the shared cache script work for ceph, I added x-amz-acl: public-read to the PUT request it does unconditionally. I just noticed this blocked caching on s3 because of the IAM rules set in bug 966152. The two possible solutions would be to either change the script to do it conditionally, or to update the IAM rules to allow it. Both require releng action (since the script is already on tooltool so that would require a tooltool package update), and I thought it would be better to just add the proper rights. I tested this additional statement:

    {
      "Sid": "AllowPutAcl",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::{bucket_name}/*",
      ],
      "Condition": { 
        "StringEquals":{
          "s3:x-amz-acl":["public-read"]
        }
      }
    }

It does allow x-amz-acl: public-read while preventing other values like authenticated-read or public-read-write. Interestingly, it still allows private, but I don't think that matters. The most important is to avoid public-read-write.
Done. FTR, this is how the current role policy for try-linux64 looks like. The second policy is exactly the same except the bucket name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPut",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::mozilla-releng-s3-cache-us-east-1-try/*"
      ]
    },
    {
      "Sid": "AllowPutAcl",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectAcl"
      ],
      "Resource": [
           "arn:aws:s3:::mozilla-releng-s3-cache-us-east-1-try/*"
      ],
      "Condition": { 
        "StringEquals":{
          "s3:x-amz-acl":["public-read"]
        }
      }
    }
  ]
}
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.