Wasabi policy requirements

cazzoo · December 12, 2021, 11:40am

Hi there!
I can see the period issue being fixed for Amazon S3 but what about Wasabi or S3 compatible connector?
I’m trying to add my bucket (Wasabi) in odrive UI and get rejected… Both connectors… Any idea how I can get this working?
Please note I’m able to mount the bucket using s3fs-fuse on my machine with the same Access Key ID and Secret, so it’s not related to permissions…
Any advice?

cazzoo · December 12, 2021, 12:47pm

Well, nevermind… It appears this is a policy issue I have, not a period issue.
When granting full S3 access it appears to work. I’m not sure what are the required Actions for odrive to work as designed… Any help maybe?

cazzoo · December 12, 2021, 1:11pm

Hey! Thank you for the post, this might probably be added to S3 connector configuration.
I noticed that

{
“Effect”: “Allow”,
“Action”: “s3:ListAllMyBuckets”,
“Resource”: “arn:aws:s3:::*”
}

is not needed in most of the cases.
Also, I noticed this is working fine for S3 compatible connector but this is not working (somehow) with Wasabi connector.
When using wasabi connector I need to grant AmazonS3FullAccess policy to my user, otherwise it’s not working. Using S3/Compatible connector works just fine with current setup (and with previously pasted section removed)

Tony · December 13, 2021, 3:59pm

Hi @cazzoo,
Can you provide an example of the policy you are using on Wasabi and I can try to reproduce what you are seeing?

What is interesting is that the Wasabi integration is just using the “S3 compatible” integration with some presets defined, so I am surprised there is a behavioral difference.

cazzoo · December 16, 2021, 8:07am

Hi @Tony,

Here are the policies I used in IAM of wasabisys:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::caz.mybucket"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*Object",
      "Resource": "arn:aws:s3:::caz.mybucket/*"
    }
  ]
}

Tony · December 17, 2021, 6:32am

Hi @cazzoo,
I’m not able to reproduce what you are seeing.

Here is what I did:

Created a new bucket named tony.test in the us-west-1 region (s3.us-west-1.wasabisys.com)
Created a new user tonytest
Created an IAM policy like the one you posted above for user tonytest

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::tony.test"
    },
    {
      "Effect": "Allow",
      "Action": "s3:*Object",
      "Resource": "arn:aws:s3:::tony.test/*"
    }
  ]
}

Used the tonytest account access-key and secret-key to link the bucket using the Wasabi integration

2021-12-16_222838403×653 9.65 KB

I was able to link, create new folders, upload, and download to the bucket.

Let me know if I am missing something in my testing.

Tony · January 5, 2022, 4:33pm

Hi @cazzoo,
I just wanted to make sure you saw the above. Are you still seeing the same issue?

cazzoo · January 16, 2022, 1:37pm

Hi @Tony ,

Thank you for the time you spent on it to investigate. Today I did try once again and couldn’t reproduce…
Perhaps there were something wrong somewhere in my configuration