Logstash-s3-output plugin not working without s3:deleteObject permission

Arnold_Kell · October 31, 2018, 3:49pm

Logstash output would not work for me without s3:deleteObject permission although as I understand, only the s3:putObject permission is required for the plugin to work properly. Without the s3:deleteObject an xml file appeared in my s3 bucket, named logstash-programmatic-access-test-object with the date also in the title. It contained the following:

<Error>

<Code>AccessDenied</Code>

<Message>Access Denied</Message>

DV6x0Dj2ucz/Ziv1uHeW413J/za9fMgtaEOi5MKIy17777Dey4M4OcXK+x0jUCc0w2yu3axm5WA=

</HostId>

</Error>

Could this possibly be a bug in the plugin? Or have I misunderstood something? Thanks!

_Alex · October 31, 2018, 4:38pm

It looks like you don't have permission to view that object in S3. Can you download it, or make it public and then attempt to view?

EDIT: The relevant code in the plugin is here: https://github.com/logstash-plugins/logstash-output-s3/blob/23a4f71864f0127a4d52f23a04cdf0a35d41566c/lib/logstash/outputs/s3/write_bucket_permission_validator.rb#L30

It looks like that object is simply a test object, which gets created to ensure PutObject works, and then (tries) to delete it, but as the comment on that function says, it carrys on if it fails to delete as only Put is required.

system · November 28, 2018, 4:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.