Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mc config host add can have an option to skip the credentials verify. #2422

Closed
tru2dagame opened this issue Mar 27, 2018 · 6 comments
Closed

mc config host add can have an option to skip the credentials verify. #2422

tru2dagame opened this issue Mar 27, 2018 · 6 comments
Labels
out of scope

Comments

@tru2dagame
Copy link

Expected behaviour

mc config host add can have an option to skip the credentials verify.

Actual behaviour

mc config host add s3-somebucket https://s3.cn-north-1.amazonaws.com.cn XXXXX XXXXXXXXXX S3v4
mc: <ERROR> Unable to initialize new config from the provided credentials. The specified bucket does not exist.

Steps to reproduce the behaviour

Here is my s3 iam Policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1506154426000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws-cn:s3:::somebucket/*"
            ]
        },
        {
            "Sid": "Stmt1506154452000",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws-cn:s3:::somebucket"
            ]
        }
    ]
}

In the old version of mc, it won't verify when I added the credentials.
And I give a very strict permission to my s3 access key. So it does like this:

The access key can't list the bucket name. But it does have the access when you know the specific bucket name.

2018-03-27 at 11 48 am

mc version

  • Version: 2018-03-25T01:22:22Z
    Release-tag: RELEASE.2018-03-25T01-22-22Z
    Commit-id: da5c198

System information

Tested on macOS, Ubuntu 16.04
@harshavardhana
Copy link
Member

You can by providing the --api s3v4 directly and it shouldn't call the validation call path.

@kannappanr
Copy link
Collaborator

@tru2dagame Closing this issue as answered. Please feel free to re-open the issue if you feel otherwise.

@rbetts
Copy link

rbetts commented Jun 2, 2018

The answer is a little confusing as (https://docs.minio.io/docs/minio-client-complete-guide) specifies s3v4 as the default. Using the --api option explictly worked for me (macos mc version 2018-03-25T01). Without the option, I see the same error as reported here.

@kannappanr
Copy link
Collaborator

@rbetts if option --api is provided, credential verification is skipped. If you do not specify the option, it will do the verification which is failing in your case. Will look into adding the option in the documentation

@aisensiy
Copy link

aisensiy commented Jun 7, 2018
edited

What exact authorization does mc need to work without --api s3v4 parameter? I give the s3 user authorization below but it still not working.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws-cn:s3:::<my-bucket>"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws-cn:s3:::<my-bucket>/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws-cn:s3:::<my-bucket>"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
}

I used the command like this and got error message below:

$ docker run -it --entrypoint=/bin/sh minio/mc:RELEASE.2018-05-25T20-20-15Z
$ mc config host add s3 <endpoint> <key> <secret>; mc ls s3/<my-bucket>

mc: Configuration written to `/root/.mc/config.json`. Please update your access credentials.
mc: Successfully created `/root/.mc/share`.
mc: Initialized share uploads `/root/.mc/share/uploads.json` file.
mc: Initialized share downloads `/root/.mc/share/downloads.json` file.
mc: <ERROR> Unable to initialize new config from the provided credentials. The specified bucket does not exist.
mc: <ERROR> Unable to stat `<my-bucket>`. Requested file `<my-bucket>` not found

And if I add the --api s3v4 parameter everything works fine.

@aisensiy aisensiy mentioned this issue Jun 7, 2018
Open
@furkanmustafa
Copy link

You can by providing the --api s3v4 directly and it shouldn't call the validation call path.

This worked for me. But it is extremely confusing and impossible to understand without trial or without visiting this issue.

mc config host add can have an explanation near --api argument, saying it would prevent active probing.

Also adding --debug outputs *nothing*, the command just looks at me with empty eyes, for more than a minute.. :/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
out of scope
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rbetts @furkanmustafa @harshavardhana @aisensiy @tru2dagame @kannappanr