Troubleshooting MinIO policies

The python script I was working with was trying to store an object in a MinIO bucket.

 minio_client.put_object(...)

It all worked fine when using the minio root account. However, it started failing as soon as I began using a MinIO account only allowed to PUT objects into the bucket.

S3 operation failed; code: AccessDenied, message: Access Denied.

It worked fine from mc, the MinIO Client. 

It worked fine if I manually modified the policy to allow all S3 actions.

                "Action": [

                  "s3:*",

                ],

It worked fine even after reverting back to the original policy of only PutObject. If I just had had the wildcard at some point after starting the script.

                "Action": [

                  "s3:PutObject"

                ],


The key to troubleshooting this was to run a trace on the minio

# mc alias set myminio http://... minioadmin miniopassword

# mc admin trace myminio


There, I could spot what was failing:

[403 Forbidden] s3.GetBucketLocation

Apparently, the MinIO python library needs to issue this other request in addition to the actual PutObject. But possibly caching the result, as subsequent attempts won't fail even if it's not permitted.

The policy that finally worked, had to include both actions:

          {

            "Version": "2012-10-17",

            "Statement": [

            {

              "Principal": "*",

              "Effect": "Allow",

                "Action": [

                  "s3:GetBucketLocation",

                  "s3:PutObject"

                ],

                "Resource": [

                  "arn:aws:s3:::xyz",

                  "arn:aws:s3:::xyz/*"

                ]

              }

            ]

          }



Comments

Post a Comment

Popular posts from this blog

iMovie event library on a network drive, NAS

I was shocked to find that iMovie '09 would not allow storing event libraries on networked disks. The AFP volume would show up, but remain non-functional with a yellow exclamation sign. There are plenty of instructions for hacking around the limitation with clumsy symbolic links. I discovered a much simpler approach, using an undocumented (?) setting built right into iMovie:"Allow Network Volumes". Use at your own risk, try the following command in Terminal defaults write -app iMovie allowNV -bool true
Read more

Proxmox PCIe passthrough on HP gen8 - failed to set iommu for container

Problem Setting up PCIe passthrough from host to a VM was supposed to be easy. However, being an HP server, there was a bit more to it than usual. The VM simply refused to start when configured use Nvidia GPU from the host: vfio error: 0000:04:00.0: failed to setup container for group 21: failed to set iommu for container: Operation not permitted In dmesg there was a bit more background on what was wrong: fio-pci 0000:04:00.1: Device is ineligible for IOMMU domain attach due to platform RMRR requirement.  Contact your platform vendor. Luckily, HP had issued a customer advisory on this. It describes a convoluted method to disable this RMRR per slot basis. It seems to work for me, so I thought I'd write down some notes if I ever run into this again. Basic setup Proxmox has decent instructions for preparing the host for passthrough setup in general, in summary: -  add  intel_iommu=on to   GRUB_CMDLINE_LINUX_DEFAULT  in the file  /etc/default/grub - add vfio ...
Read more

Easy-rsa fails with "Missing or invalid OpenSSL"

Trying to use easyrsa on MacOS High Sierra, it failed with an error message MacBook-Air:vpn me$  EasyRSA-3.0.3/easyrsa init-pki 140736197817224:error:0E065068:configuration file routines:STR_COPY:variable has no   value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-  22/libressl/crypto/conf/conf_def.c:573:line 3 Easy-RSA error: Missing or invalid OpenSSL Expected to find openssl command at: openssl This seems to be a known issue with MacOS High Sierra which has migrated to Libressl instead of Openssl, and has an easy workaround: MacBook-Air:vpn me$ EASYRSA_OPENSSL=/usr/local/Cellar/openssl/1.0.2n/bin/openssl EasyRSA-3.0.3/easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /Users/me/Documents/vpn/pki
Read more