0

Im running a Github CD actions that takes some files from my repo and tries to upload them to a S3 bucket I have.

The action runs this command:

/usr/bin/docker run --name e4f859ff89ec6549659693150859a75828_d1b6eb --label 5588e4 --workdir /github/workspace --rm -e AWS_S3_BUCKET -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_REGION -e SOURCE_DIR -e INPUT_ARGS -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/prepay-frontend/prepay-frontend":"/github/workspace" 5588e4:f859ff89ec6549659693150859a75828 --acl public-read --follow-symlinks --delete

The AWS_S3_BUCKET, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_REGION are obfuscated for privacy reasons, but Im sure they are configured correctly because I can see from my AWS console that the user associated to AWS_ACCESS_KEY_ID is being use.

The problem is that I get this error:

upload failed: public/index.html to s3://***/index.html An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

I don't understand why, this is the policy associated to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::MY-bucket-name"]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object",
            "Resource": ["arn:aws:s3:::MY-bucket-name/*"]
        }
    ]
}

And if I'm not wrong that policy grants full control over the files on the bucket MY-bucket-name to the user. What I'm missing here?

DomingoSL
  • 365
  • 1
  • 4
  • 13

1 Answers1

0

What if you change the policy from s3:*Object to s3:* for a test to verify that it’s indeed this policy that’s blocking the request?

Perhaps there’s a Bucket Policy or SCP or Policy boundary that’s interfering with the request. None of them must Deny access in order for it to succeed.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86