S3 repository rejects access with documented s3:prefix condition #35703
Description
A user reports problems with the S3 repository plugin in 6.5.0:
{ "error": { "root_cause": [ { "type": "repository_exception", "reason": "[s3_test] cannot create blob store" } ], "type": "repository_exception", "reason": "[s3_test] cannot create blob store", "caused_by": { "type": "illegal_argument_exception", "reason": "you do not have permissions to access the bucket REDACTED", "caused_by": { "type": "amazon_s3_exception", "reason": "amazon_s3_exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: REDACTED; S3 Extended Request ID: REDACTED )" } } }, "status": 500 } They have an IAM policy that includes a statement like the one in the reference manual:
{ "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads", "s3:ListBucketVersions" ], "Condition": { "StringLike": { "s3:prefix": [ "foo/*" ] } }, "Effect": "Allow", "Resource": [ "arn:aws:s3:::snaps.example.com" ] }, If they remove the Condition block then access is granted. I think Elasticsearch changed how it checks for bucket existence in #34123 and it's possible that the new check is no longer within the bounds of this policy. I haven't confirmed this hypothesis yet.