Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

complete-multipart-upload does not evaluate the object-lock-mode provided during create-multipart-upload request, causing issues with certain bucket policies

0

I noticed that complete-multipart-upload does not evaluate the object-lock-mode provided during create-multipart-upload request. This means that there are certain bucket policies where that inconsistency can result in complete-multipart-upload requests failing, while the previous create-multipart-upload and upload-part requests have succeeded.

Q: is this a known issue?

Here are **examples **of my tests:

This is a bucket policy with StringEquals: { "Sid": "Stmt1731447043438", "Effect": "Deny", "Principal": "", "Action": [ "s3:PutObject", "s3:PutObjectRetention" ], "Resource": "arn:aws:s3:::bkt9/", "Condition": { "StringEquals": { "s3:object-lock-mode": "GOVERNANCE" } } }

I tried the following: 0) Without any bucket policy configured

  1. create-multipart-upload with header: --object-lock-mode "GOVERNANCE"
  2. upload-part, request succeeds
  3. Then I configure a bucket policy with above
  4. upload-part, request fails with: An error occurred (AccessDenied) when calling the UploadPart operation: ...

Alternatively, I notice that: 0) Without any bucket policy configured

  1. create-multipart-upload with header: --object-lock-mode "GOVERNANCE"
  2. upload-part, request succeeds
  3. upload-part, request succeeds
  4. Then I configure a bucket policy with above
  5. complete-multipart-upload, request succeeds

This means that upload-part requests are evaluated as if the object-lock-mode is GOVERNANCE (as provided by create-multipart-upload) and the bucket policy denies accordingly. In contrast, complete-multipart-upload DOES NOT evaluate the object-lock-mode, so the request is allowed.

Alternatively, I also tested with this policy with StrongEqualsIfExists: { "Sid": "Stmt1731447043438", "Effect": "Deny", "Principal": "", "Action": [ "s3:PutObject", "s3:PutObjectRetention" ], "Resource": "arn:aws:s3:::bkt9/", "Condition": { "StringEqualsIfExists": { "s3:object-lock-mode": "GOVERNANCE" } } }

I notice that: 0) I configure the bucket policy with above

  1. create-multipart-upload with header: --object-lock-mode "COMPLIANCE"
  2. upload-part, request succeeds
  3. upload-part, request succeeds
  4. complete-multipart-upload, request fails with: An error occurred (AccessDenied) when calling the CompleteMultipartUpload operation:...

This means that complete-multipart-upload DOES evaluate the "header" as NULL, and blocks it according to the policy. Which means the --object-lock-mode of "COMPLIANCE" provided when the create-multipart-upload request is made is NOT evaluated.

My conclusion: For a bucket policy, with

  1. effect: DENY
  2. Condition: s3:object-lock-mode
  3. when making a multipart request, where the null header case results in a Deny I must use StringEquals. I **cannot **use StringNotEquals, or StringEqualsIfExists, or StringNotEqualsIfExists.
Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
asked a year ago132 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content