Logstash-s3-output plugin not working without s3:deleteObject permission

Arnold_Kell · October 31, 2018, 3:49pm

Logstash output would not work for me without s3:deleteObject permission although as I understand, only the s3:putObject permission is required for the plugin to work properly. Without the s3:deleteObject an xml file appeared in my s3 bucket, named logstash-programmatic-access-test-object with the date also in the title. It contained the following:

<Error>

<Code>AccessDenied</Code>

<Message>Access Denied</Message>

DV6x0Dj2ucz/Ziv1uHeW413J/za9fMgtaEOi5MKIy17777Dey4M4OcXK+x0jUCc0w2yu3axm5WA=

</HostId>

</Error>

Could this possibly be a bug in the plugin? Or have I misunderstood something? Thanks!

_Alex · October 31, 2018, 4:38pm

It looks like you don't have permission to view that object in S3. Can you download it, or make it public and then attempt to view?

EDIT: The relevant code in the plugin is here: https://github.com/logstash-plugins/logstash-output-s3/blob/23a4f71864f0127a4d52f23a04cdf0a35d41566c/lib/logstash/outputs/s3/write_bucket_permission_validator.rb#L30

It looks like that object is simply a test object, which gets created to ensure PutObject works, and then (tries) to delete it, but as the comment on that function says, it carrys on if it fails to delete as only Put is required.

Topic		Replies	Views
AWS IAM Policy for S3 Output Plugin Logstash	1	1285	November 20, 2019
Logstash S3 output requires bucket object permissions at the root of the bucket, regardless of prefix config Logstash	1	1776	February 7, 2022
S3 output requires PutObject on * Resources Logstash	7	2221	November 13, 2017
Logstash s3 input plugin not deleting files after processing Logstash	2	1038	January 26, 2021
S3 input dont delete/backup files after processing Logstash	3	1222	April 13, 2022

Logstash-s3-output plugin not working without s3:deleteObject permission

Related topics