nx-aws
nx-aws copied to clipboard
bojanbass
Cache won't work without s3:ListBucket permissions on the bucket
The only S3 actions that are explicitly used are GetObject, PutObject, PutObjectACL, and GetObjectAttributes, However, the code is written in a way that implicitly requires ListBucket
https://github.com/bojanbass/nx-aws/blob/ddcc209d6a6f7612e0de30485edb865ed8cdbdb0/packages/nx-aws-cache/src/tasks-runner/aws-cache.ts#L226-L231
private async checkIfCacheExists(hash: string): Promise<boolean> {
const tgzFileName = this.getTgzFileName(hash),
params: clientS3.HeadObjectCommand = new clientS3.HeadObjectCommand({
Bucket: this.bucket,
Key: this.getS3Key(tgzFileName),
});
try {
await this.s3.send(params);
return true;
} catch (err) {
if ((err as Error).name === 'NotFound') {
return false;
} else if (err instanceof CredentialsProviderError) {
return false;
}
throw new Error(`Error checking cache file existence - ${err}`);
}
}
if the HeadObjectCommand is used, and the principle has ListBucket permissions, then NotFound will be returned. However if they do not have ListBucket permissions, then 403 will be returned. So caching will fail
See API reasoning https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/s3/command/HeadObjectCommand/
Permissions
You need the relevant read object (or version) permission for this operation. For more information, see [Actions, resources, and condition keys for Amazon S3 ](https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html)
. If the object you request doesn't exist, the error that Amazon S3 returns depends on whether you also have the s3:ListBucket permission.
If you have the s3:ListBucket permission on the bucket, Amazon S3 returns an HTTP status code 404 error.
If you don’t have the s3:ListBucket permission, Amazon S3 returns an HTTP status code 403 error.
Solution. Check if a 403 was returned, and return false in that case
Hi @leighpascoe. Thank you for reporting. Feel free to open a PR with this change.
