rust-s3 icon indicating copy to clipboard operation
rust-s3 copied to clipboard

Published 20 hours ago verified publisher icon durch

Accessing s3 bucket using `tokio-rustls-tls` returns 403 error

Open ArjunGTX opened this issue 2 years ago • 16 comments

Describe the bug When trying to access s3 bucket using the tokio-rustls-tls feature, it is returning 403 (Access denied) as response for head_object() request. The same request succeeded when tokio-native-tls was used.

To Reproduce

  • Include tokio-rustls-tls feature
rust-s3 = { version = "0.32", default-features = false, features = [
  "tokio-native-tls",
  "tags"
] }
  • Create a bucket with appropriate credentials
let bucket = Bucket::new(
		"my_bucket",
		Region::Custom {
			endpoint: "my_endpoint",
			region: "my_region",
		},
		Credentials::new(
			Some("my_key"),
			Some("my_secret"),
			None,
			None,
			None,
		)
		.context("unable to create credentials")?,
	)
	.context("unable to create bucket")?;
  • Invoke the head_object() request
let (head, code) = bucket.head_object(&file).await?;

Expected behavior

  • The expected code was 200 but got 403
  • Same request using tokio-native-tls returned 200 code

Environment

  • Rust version: [e.g. 1.63]
  • lib version [e.g. 0.32]

ArjunGTX avatar Aug 19 '22 11:08 ArjunGTX

it happened to me too

Niedzwiedzw avatar Sep 21 '22 14:09 Niedzwiedzw

sadly the environment I'm running my app in isn't required to have SSL installed, so I cannot live without it... can I help solve it somehow?

Niedzwiedzw avatar Sep 21 '22 14:09 Niedzwiedzw

@Niedzwiedzw there is a no-verify-ssl feature, that might help, it seems that rustls-tls has some issues with certain certs, there is a failing test against Digital Ocean spaces that only fails on rustls-tls.

Can you give me any more specifics on the environment you're running?

Would something like a no-tls feature be helpful?

durch avatar Sep 21 '22 16:09 durch

it's running on a windows 10 machine I'm setting up for a local CI for my project, the target S3 is digitalocean, as for no-tls feature I'm not sure if it's help, but as far as I can see no-verify-ssl didn't help sadly. if reqwest supports no-tls then yeah why not give it a try, I can build from a branch and give it a quick test

Niedzwiedzw avatar Sep 21 '22 16:09 Niedzwiedzw

hmm rustls-tls-native-roots - this feature for reqwest might do the trick, I'll give it a quick spin

Niedzwiedzw avatar Sep 21 '22 16:09 Niedzwiedzw

It did not work on the digital ocean test, I've tried it :(. That being said if it works on you're end I'd be happy to add another variant

durch avatar Sep 21 '22 16:09 durch

I've added this as a feature on my branch, gonna test in a minute once it builds

Niedzwiedzw avatar Sep 21 '22 16:09 Niedzwiedzw

yeah, no luck sadly... I'm out if ideas then

Niedzwiedzw avatar Sep 21 '22 17:09 Niedzwiedzw

I've managed to work around this bo conditionally compiling for windows with nativetld ,and for linux with rustls (I must support a very old linux machine, this was the whole point :D) if anyone finds it useful here's the config

[target.x86_64-pc-windows-gnu.dependencies]
rust-s3 = {version = "0.32", features = ["with-tokio"] }

[target.x86_64-unknown-linux-gnu.dependencies]
rust-s3 = {version = "0.32", default-features = false, features = ["tokio-rustls-tls", "with-tokio", "no-verify-ssl"] }

Niedzwiedzw avatar Sep 21 '22 17:09 Niedzwiedzw

Can you check if its only head_object() or if other routes are affected as well?

durch avatar Sep 21 '22 17:09 durch

actually in my case it was failing when uploading a file

https://github.com/durch/rust-s3/blob/d69bc4cf7a3c91dd5db84957f239b3c39b7302ec/s3/src/bucket.rs#L892 this line

Niedzwiedzw avatar Sep 21 '22 17:09 Niedzwiedzw

I've managed to work around this bo conditionally compiling for windows with nativetld ,and for linux with rustls (I must support a very old linux machine, this was the whole point :D) if anyone finds it useful here's the config

[target.x86_64-pc-windows-gnu.dependencies]
rust-s3 = {version = "0.32", features = ["with-tokio"] }

[target.x86_64-unknown-linux-gnu.dependencies]
rust-s3 = {version = "0.32", default-features = false, features = ["tokio-rustls-tls", "with-tokio", "no-verify-ssl"] }

Super happy to hear that :)

durch avatar Sep 21 '22 19:09 durch

so for future people who encounter this - it only happens on rustls on windows it seems, but let's wait for other people to confirm

Niedzwiedzw avatar Sep 21 '22 19:09 Niedzwiedzw

There are issues with tokio-rustls-tls, Digital Ocean for example has problems as well, it seems that they're related to how certificates are handled, all in all I hope this is something that gets fixed upstream eventually...

durch avatar Sep 24 '22 16:09 durch

One issue I had with Rustls is the bucket having periods in its name, which triggered https://github.com/rustls/rustls/issues/184

Eric-Arellano avatar Dec 06 '22 19:12 Eric-Arellano

sync-rustls-tls on AlpineLinux fails the same. no-verify-ssl does not help. put_object still got 403.

I do not think my case is because of the permission, same service account (in K8S) is used by other pods to upload files to S3.

Also, the 403 was got after I hacked rust-s3 source. The error was masked and an unparsable Json error was shown.

Magicloud avatar Apr 05 '23 15:04 Magicloud