Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Signing S3 objects using signing profile not working anymore

1

Hello,

we have a created a signing profile in AWS Signer a while ago. The profile is associated to a private key/certificate in the AWS Certificate Manager Service. What we do is the following: We upload arbitrary files to an S3 bucket which will trigger a lambda function using an S3 rule. The python lambda function will call the "StartSigningJob" operation using boto3:

# Sign the uploaded file
            signing_job_result = self.__signer_client.start_signing_job(
                source={
                    "s3": {"bucketName": bucket_name, "key": object_key, "version": version}
                },
                destination={
                    "s3": {"bucketName": f"{bucket_name}/{SIGNATURES_FOLDER_NAME}"}
                },
                profileName=self.signing_profile,
            )

The lambda role contains the following permissions (in accordance with https://docs.aws.amazon.com/signer/latest/developerguide/gs-iam.html):

# S3 Permissions
            - Effect: Allow
              Action:
                - "s3:Get*"
                - "s3:HeadObject"
                - "s3:List*"
                - "s3:PutObject"
                - "s3:PutObjectTagging"
              Resource: "arn:aws:s3:::${self:custom.filesBucketName}*"
              - Effect: Allow
              Action:
                - "signer:StartSigningJob"
              Resource: "*"

This was working until last Thursday (18th of Mai 2023). However, since today (22nd of Mai 2023) we get the following error message:

An error occurred (AccessDeniedException) when calling the StartSigningJob operation: S3 bucket filemanager-prod-cces-bucket/signatures not accessible. Please check your permissions

Do you have any advice what could be the problem?

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access Management
Sprache
English
rePost-User-6769416
gefragt vor einem Jahr295 Aufrufe
1 Antwort
0

You must verify the following:

  • S3 Bucket Policies
  • Lambda Execution Role (If someone made changes)
  • Signer Profile Expiration.
AWS
vtjean
beantwortet vor einem Jahr
  • rePost-User-6769416
    vor einem Jahr

    Ok thanks for your answer. I think I found out what the problem was. The format string f"{bucket_name}/{SIGNATURES_FOLDER_NAME}" was resolved to "filemanager-prod-cces-bucket/signatures" in the following snippet:

    signing_job_result = self.__signer_client.start_signing_job(
                source={
                    "s3": {"bucketName": bucket_name, "key": object_key, "version": version}
                },
                destination={
                    "s3": {"bucketName": f"{bucket_name}/{SIGNATURES_FOLDER_NAME}"}
                },
                profileName=self.signing_profile,
            )

    However, if I just change to the name of the bucket like this (without the SIGNATURES_FOLDER_NAME):

    signing_job_result = self.__signer_client.start_signing_job(
                source={
                    "s3": {"bucketName": bucket_name, "key": object_key, "version": version}
                },
                destination={
                    "s3": {"bucketName": f"{bucket_name}"}
                },
                profileName=self.signing_profile,
            )

    its working fine.

    I have double checked that we did not make any change to this code after 18th of Mai and I also double checked that it worked before. To me it seems as if the behavior of the --destination flag of the start_signing_job function has changed. Can you maybe confirm that a change has happend recently to this function?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt