Guys there's something I really don't understand. The GitLab runner at the bottom cannot delete objects in the bucket at the top. He should have permissions to do that, but instead I get the following:
delete failed: s3://bucket.domain.com/file.png An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
S3 permissions bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1412062044000",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::321570121925:root"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket.domain.com/*",
"arn:aws:s3:::bucket.domain.com"
]
},
{
"Sid": "Stmt1721016931TBA",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::321570121925:root"
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucket.domain.com"
}
]
}
GitLab runner result for "aws sts get-called-identity":
{
"Account": "321570121925",
"UserId": "AROAJZ6FNUZ33NL3XQVYK:i-0394709c2c1742643",
"Arn": "arn:aws:sts::321570121925:assumed-role/gitlab-runner-20180419190331730700000002/i-0394709c2c1742643"
}
I've been investigating for hours and this doesn't make sense to me. Help please.
Best Answer
S3 allows cross-account delegation of permissions, so that principals (users, roles) in one account can access resources in anothet account.
But, to do this, both accounts must grant the necessary permissions: the account that owns the bucket must delegate the permission and the account that owns the principal must also grant the permission.
In the bucket policy, this delegates the permission to the root of foreign account xxxxxxxxxxxx... but that account must further delegate the permission to its users/roles with the appropriate IAM policy.
The document referenced above privides an extensive overview of how S3 handles privilege checks.