dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

Unrestricted S3 permissions for shares with consumer role

Open mourya-33 opened this issue 10 months ago • 1 comments

Describe the bug

Currently when a share is created for the consumer role, dataall automatically adds s3* permissions on the share. This must be restricted to read permissions only.

How to Reproduce

Create a consumer role and then create a data share. Check the IAM role policies for the consumer role to verify the s3 permissions added for the share.

Expected behavior

The consumer role should be updated to add only S3 read permissions when a share is created.

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.4

Additional context

No response

mourya-33 avatar Apr 26 '24 17:04 mourya-33

@dlpzx @noah-paige I will add more details once i test the behavior in detail.

mourya-33 avatar Apr 26 '24 17:04 mourya-33

Verified that the dataset sharing policy added to consumption role is listing the actions as s3:*. This must be restricted to read only s3 permissions.

mourya-33 avatar May 09 '24 03:05 mourya-33