Add s3:PutObjectAcl access to shared cache buckets from build slaves

RESOLVED FIXED

Status

Release Engineering
General Automation
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: glandium, Assigned: rail)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
So it turns out that to make the shared cache script work for ceph, I added x-amz-acl: public-read to the PUT request it does unconditionally. I just noticed this blocked caching on s3 because of the IAM rules set in bug 966152. The two possible solutions would be to either change the script to do it conditionally, or to update the IAM rules to allow it. Both require releng action (since the script is already on tooltool so that would require a tooltool package update), and I thought it would be better to just add the proper rights. I tested this additional statement:

    {
      "Sid": "AllowPutAcl",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::{bucket_name}/*",
      ],
      "Condition": { 
        "StringEquals":{
          "s3:x-amz-acl":["public-read"]
        }
      }
    }

It does allow x-amz-acl: public-read while preventing other values like authenticated-read or public-read-write. Interestingly, it still allows private, but I don't think that matters. The most important is to avoid public-read-write.
(Assignee)

Comment 1

4 years ago
Done. FTR, this is how the current role policy for try-linux64 looks like. The second policy is exactly the same except the bucket name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPut",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::mozilla-releng-s3-cache-us-east-1-try/*"
      ]
    },
    {
      "Sid": "AllowPutAcl",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectAcl"
      ],
      "Resource": [
           "arn:aws:s3:::mozilla-releng-s3-cache-us-east-1-try/*"
      ],
      "Condition": { 
        "StringEquals":{
          "s3:x-amz-acl":["public-read"]
        }
      }
    }
  ]
}
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.