starred/s3fs-fuse
1
0
Fork 0
mirror of https://github.com/s3fs-fuse/s3fs-fuse.git synced 2026-04-25 05:16:00 +03:00
Code Issues 305 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1807] s3fs mount with temporary credentials can‘t upload files #923

New issue
Open
opened 2026-03-04 01:49:58 +03:00 by kerem · 1 comment
kerem commented 2026-03-04 01:49:58 +03:00
Owner
Copy link

Originally created by @linstein on GitHub (Nov 10, 2021).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1807

Additional Information

Version of s3fs being used (s3fs --version)

1.86

Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse)

2.9.7

Kernel information (uname -r)

5.4.0-72-generic

GNU/Linux Distribution, if applicable (cat /etc/os-release)

NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

s3fs command line used, if applicable

export AWSACCESSKEYID=${AWS_ACCESS_KEY_ID}
export AWSSECRETACCESSKEY=${AWS_SECRET_ACCESS_KEY}
export AWSSESSIONTOKEN=${AWS_SESSION_TOKEN}
s3fs ststest /workspace/ststest -o url=${s3url} -o  use_path_request_style -o  allow_other

Details about issue

  1. I use AWS STS to get temporary AK/SK/Session Token. This credential has full permission for s3 action. Here is the Policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCreateBuckets",
      "Action": ["s3:*"],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::${bucket}","arn:aws:s3:::${bucket}/*"]
    }
  ]
}
  1. I use this temporary credentials for s3fs mount and able to mount successfully.
  2. I can modify/delete files existed in the bucket directory, but i can‘t create or move new file into the directory. When i run touch a.txt , it prompts touch: setting times of 'a.txt': Operation not permitted, Here is s3fs log
[INF] s3fs.cpp:s3fs_getattr(876): [path=/a.txt]
[INF]       curl.cpp:HeadRequest(3049): [tpath=/a.txt]
[INF]       curl.cpp:PreHeadRequest(3009): [tpath=/a.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt
[INF]       curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt] [] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text:
[INF]       curl.cpp:HeadRequest(3049): [tpath=/a.txt/]
[INF]       curl.cpp:PreHeadRequest(3009): [tpath=/a.txt/][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt/
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt/
[INF]       curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt/] [] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: 
[INF]       curl.cpp:HeadRequest(3049): [tpath=/a.txt_$folder$]
[INF]       curl.cpp:PreHeadRequest(3009): [tpath=/a.txt_$folder$][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt_%24folder%24
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt_%24folder%24
[INF]       curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt_$folder$] [] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: 
[INF]   s3fs.cpp:list_bucket(2596): [path=/a.txt]
[INF]       curl.cpp:ListBucketRequest(3446): [tpath=/a.txt]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6?delimiter=/&max-keys=2&prefix=a.txt/
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/?delimiter=/&max-keys=2&prefix=a.txt/
[INF]       curl.cpp:insertV4Headers(2753): computing signature [GET] [/] [delimiter=/&max-keys=2&prefix=a.txt/] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[INF]       curl.cpp:RequestPerform(2416): HTTP response code 200
[INF] s3fs.cpp:s3fs_getattr(876): [path=/a.txt]
[INF]       curl.cpp:HeadRequest(3049): [tpath=/a.txt]
[INF]       curl.cpp:PreHeadRequest(3009): [tpath=/a.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt
[INF]       curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt] [] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: 
[INF]       curl.cpp:HeadRequest(3049): [tpath=/a.txt/]
[INF]       curl.cpp:PreHeadRequest(3009): [tpath=/a.txt/][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt/
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt/
[INF]       curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt/] [] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: 
[INF]       curl.cpp:HeadRequest(3049): [tpath=/a.txt_$folder$]
[INF]       curl.cpp:PreHeadRequest(3009): [tpath=/a.txt_$folder$][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt_%24folder%24
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt_%24folder%24
[INF]       curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt_$folder$] [] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: 
[INF]   s3fs.cpp:list_bucket(2596): [path=/a.txt]
[INF]       curl.cpp:ListBucketRequest(3446): [tpath=/a.txt]
[INF]       curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6?delimiter=/&max-keys=2&prefix=a.txt/
[INF]       curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/?delimiter=/&max-keys=2&prefix=a.txt/
[INF]       curl.cpp:insertV4Headers(2753): computing signature [GET] [/] [delimiter=/&max-keys=2&prefix=a.txt/] []
[INF]       curl.cpp:url_to_host(99): url is https://s3.dvclab.com
[INF]       curl.cpp:RequestPerform(2416): HTTP response code 200
  1. It returns 403,which means i dont have permission. But temporary credentials should have all permission. I can modify/delete existed file and can‘t create new file
Originally created by @linstein on GitHub (Nov 10, 2021). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/1807 ### Additional Information #### Version of s3fs being used (s3fs --version) 1.86 #### Version of fuse being used (pkg-config --modversion fuse, rpm -qi fuse, dpkg -s fuse) 2.9.7 #### Kernel information (uname -r) 5.4.0-72-generic #### GNU/Linux Distribution, if applicable (cat /etc/os-release) ``` NAME="Ubuntu" VERSION="18.04.5 LTS (Bionic Beaver)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.5 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic ``` #### s3fs command line used, if applicable ``` export AWSACCESSKEYID=${AWS_ACCESS_KEY_ID} export AWSSECRETACCESSKEY=${AWS_SECRET_ACCESS_KEY} export AWSSESSIONTOKEN=${AWS_SESSION_TOKEN} s3fs ststest /workspace/ststest -o url=${s3url} -o use_path_request_style -o allow_other ``` ### Details about issue 1. I use AWS STS to get temporary AK/SK/Session Token. This credential has full permission for s3 action. Here is the Policy ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreateBuckets", "Action": ["s3:*"], "Effect": "Allow", "Resource": ["arn:aws:s3:::${bucket}","arn:aws:s3:::${bucket}/*"] } ] } ``` 2. I use this temporary credentials for s3fs mount and able to mount successfully. 3. I can modify/delete files existed in the bucket directory, but i can‘t create or move new file into the directory. When i run `touch a.txt` , it prompts `touch: setting times of 'a.txt': Operation not permitted`, Here is s3fs log ``` [INF] s3fs.cpp:s3fs_getattr(876): [path=/a.txt] [INF] curl.cpp:HeadRequest(3049): [tpath=/a.txt] [INF] curl.cpp:PreHeadRequest(3009): [tpath=/a.txt][bpath=][save=][sseckeypos=-1] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt [INF] curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt] [] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: [INF] curl.cpp:HeadRequest(3049): [tpath=/a.txt/] [INF] curl.cpp:PreHeadRequest(3009): [tpath=/a.txt/][bpath=][save=][sseckeypos=-1] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt/ [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt/ [INF] curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt/] [] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: [INF] curl.cpp:HeadRequest(3049): [tpath=/a.txt_$folder$] [INF] curl.cpp:PreHeadRequest(3009): [tpath=/a.txt_$folder$][bpath=][save=][sseckeypos=-1] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt_%24folder%24 [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt_%24folder%24 [INF] curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt_$folder$] [] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: [INF] s3fs.cpp:list_bucket(2596): [path=/a.txt] [INF] curl.cpp:ListBucketRequest(3446): [tpath=/a.txt] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6?delimiter=/&max-keys=2&prefix=a.txt/ [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/?delimiter=/&max-keys=2&prefix=a.txt/ [INF] curl.cpp:insertV4Headers(2753): computing signature [GET] [/] [delimiter=/&max-keys=2&prefix=a.txt/] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [INF] curl.cpp:RequestPerform(2416): HTTP response code 200 [INF] s3fs.cpp:s3fs_getattr(876): [path=/a.txt] [INF] curl.cpp:HeadRequest(3049): [tpath=/a.txt] [INF] curl.cpp:PreHeadRequest(3009): [tpath=/a.txt][bpath=][save=][sseckeypos=-1] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt [INF] curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt] [] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: [INF] curl.cpp:HeadRequest(3049): [tpath=/a.txt/] [INF] curl.cpp:PreHeadRequest(3009): [tpath=/a.txt/][bpath=][save=][sseckeypos=-1] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt/ [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt/ [INF] curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt/] [] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: [INF] curl.cpp:HeadRequest(3049): [tpath=/a.txt_$folder$] [INF] curl.cpp:PreHeadRequest(3009): [tpath=/a.txt_$folder$][bpath=][save=][sseckeypos=-1] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6/a.txt_%24folder%24 [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/a.txt_%24folder%24 [INF] curl.cpp:insertV4Headers(2753): computing signature [HEAD] [/a.txt_$folder$] [] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [ERR] curl.cpp:RequestPerform(2436): HTTP response code 403, returning EPERM. Body Text: [INF] s3fs.cpp:list_bucket(2596): [path=/a.txt] [INF] curl.cpp:ListBucketRequest(3446): [tpath=/a.txt] [INF] curl.cpp:prepare_url(4703): URL is https://s3.dvclab.com/ststest6?delimiter=/&max-keys=2&prefix=a.txt/ [INF] curl.cpp:prepare_url(4736): URL changed is https://s3.dvclab.com/ststest6/?delimiter=/&max-keys=2&prefix=a.txt/ [INF] curl.cpp:insertV4Headers(2753): computing signature [GET] [/] [delimiter=/&max-keys=2&prefix=a.txt/] [] [INF] curl.cpp:url_to_host(99): url is https://s3.dvclab.com [INF] curl.cpp:RequestPerform(2416): HTTP response code 200 ``` 4. It returns 403,which means i dont have permission. But temporary credentials should have all permission. I can modify/delete existed file and can‘t create new file
kerem commented 2026-03-04 01:49:59 +03:00
Author
Owner
Copy link

@srnm commented on GitHub (Nov 26, 2021):

Do you know that the temporary credentials permit uploads when using the awscli?

Using the awscli with temporary credentials is similar to the s3fs command line included section you provided above:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#using-temp-creds-sdk-cli

If the awscli upload fails, perhaps the bucket is encrypted using a customer managed key?
The iam role behind the temporary credentials requires a grant on the KMS object.

gl

<!-- gh-comment-id:979700376 --> @srnm commented on GitHub (Nov 26, 2021): Do you know that the temporary credentials permit uploads when using the awscli? Using the awscli with temporary credentials is similar to the _s3fs command line included_ section you provided above: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#using-temp-creds-sdk-cli If the awscli upload fails, perhaps the bucket is encrypted using a customer managed key? The iam role behind the temporary credentials requires a grant on the KMS object. gl
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.97
v1.96
v1.95
v1.94
v1.93
v1.92
v1.91
v1.90
v1.89
v1.88
v1.87
v1.86
v1.85
v1.84
v1.83
v1.82
v1.81
v1.80
v1.79
v1.78
Pre-v1.78
v1.77
v1.76
v1.75
v1.74
Labels
Clear labels   
bug

   
bug

   
dataloss

   
duplicate

   
enhancement

   
feature request

   
help wanted

   
invalid

   
need info

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
testing
No labels
bug
bug
dataloss
duplicate
enhancement
feature request
help wanted
invalid
need info
performance
pull-request
question
question
testing
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#923
No description provided.