Creating a new bucket by s3cmd results in access denied

野島 裕輔 yusuke-nojima at cybozu.co.jp
Wed Nov 11 03:12:35 EST 2015


I have installed the Riak, Stanchion and Riak CS to Ubuntu 14.04, and created an admin user.
Then I attempted to create the new bucket with s3cmd, but it resulted in AccessDenied error.

I tried the solution of http://riak-users.197444.n3.nabble.com/RIAK-CS-Unable-to-create-bucket-using-s3cmd-AccessDenied-td4032375.html, but still does not work.

I found another thread http://riak-users.197444.n3.nabble.com/ERROR-S3-error-403-AccessDenied-Access-Denied-with-s3cmd-tt4033610.html, but no one answered the thread.

Any ideas what was wrong with my setup?
Thanks for the help in advance.

-------------------------
$ s3cmd mb s3://test
DEBUG: Updating Config.Config encoding -> UTF-8
DEBUG: Updating Config.Config follow_symlinks -> False
DEBUG: Updating Config.Config verbosity -> 30
DEBUG: Unicodising 'mb' using UTF-8
DEBUG: Unicodising 's3://test' using UTF-8
DEBUG: Command: mb
DEBUG: SignHeaders: 'PUT\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:36:55 +0000\n/test/'
DEBUG: CreateRequest: resource[uri]=/
DEBUG: SignHeaders: 'PUT\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:36:55 +0000\n/test/'
DEBUG: Processing request, please wait...
DEBUG: get_hostname(test): test.s3.amazonaws.com
DEBUG: format_uri(): http://test.s3.amazonaws.com/
DEBUG: Sending request method_string='PUT', uri='http://test.s3.amazonaws.com/', headers={'content-length': '0', 'Authorization': 'AWS LS_P9JF815TCCKTFOD4O:USeKvJH40fSHJy8kZFnRyJxGgcY=', 'x-amz-date': 'Wed, 11 Nov 2015 07:36:55 +0000'}, body=(0 bytes)
DEBUG: Response: {'status': 403, 'headers': {'date': 'Wed, 11 Nov 2015 07:36:55 GMT', 'content-length': '159', 'content-type': 'application/xml', 'server': 'Riak CS'}, 'reason': 'Forbidden', 'data': '<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/test</Resource><RequestId></RequestId></Error>'}
DEBUG: S3Error: 403 (Forbidden)
DEBUG: HttpHeader: date: Wed, 11 Nov 2015 07:36:55 GMT
DEBUG: HttpHeader: content-length: 159
DEBUG: HttpHeader: content-type: application/xml
DEBUG: HttpHeader: server: Riak CS
DEBUG: ErrorXML: Code: 'AccessDenied'
DEBUG: ErrorXML: Message: 'Access Denied'
DEBUG: ErrorXML: Resource: '/test'
DEBUG: ErrorXML: RequestId: None
ERROR: Access to bucket 'test' was denied

-------------------------
/var/log/stanchion/console.log says that the presented signature does not match:

2015-11-11 07:36:55.683 [debug] <0.169.0>@stanchion_auth:authenticate:41 Presented Signature: "rVYpULyFn0zsqUhizDUlQI+LfzA="
Calculated Signature: "aHCNYOFa7XT8PKS64fKNYyh7JGc="

-------------------------
My .s3cfg looks like:

[default]
access_key = LS_P9JF815TCCKTFOD4O
bucket_location = US
cloudfront_host = cloudfront.amazonaws.com
default_mime_type = binary/octet-stream
delete_removed = False
dry_run = False
enable_multipart = True
encoding = UTF-8
encrypt = False
follow_symlinks = False
force = False
get_continue = False
gpg_command = /usr/bin/gpg
gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
gpg_passphrase = cybozu123
guess_mime_type = True
host_base = s3.amazonaws.com
host_bucket = %(bucket)s.s3.amazonaws.com
human_readable_sizes = False
invalidate_on_cf = False
list_md5 = False
log_target_prefix =
mime_type =
multipart_chunk_size_mb = 15
preserve_attrs = True
progress_meter = True
proxy_host = 127.0.0.1
proxy_port = 8080
recursive = False
recv_chunk = 4096
reduced_redundancy = False
secret_key = dz0oUJqZBowOmTobwyaCaZcrO7PgL69ArCSnfQ==
send_chunk = 4096
simpledb_host = sdb.amazonaws.com
skip_existing = False
socket_timeout = 300
urlencoding_mode = normal
use_https = False
verbosity = DEBUG
website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
website_error =
website_index = index.html
signature_v2 = True


-------------------------
Versions:

riak: 2.0.5
riak-cs: 2.0.1
stanchion: 2.0.0
s3cmd: 1.1.0-beta3

-------------------------
Traffic between Riak CS and Stanchion aquired by tcpdump is:

POST /buckets HTTP/1.1
content-type: application/json
content-md5: owB6xF/s2H7XLFzMR3vYnw==
content-length: 462
te:
host: 127.0.0.1:8085
authorization: MOSS LS_P9JF815TCCKTFOD4O:rVYpULyFn0zsqUhizDUlQI+LfzA=
date: Wed, 11 Nov 2015 07:36:55 GMT
connection: keep-alive

{"bucket":"test","requester":"LS_P9JF815TCCKTFOD4O","acl":{"version":1,"owner":{"display_name":"yusuke-nojima","canonical_id":"7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0","key_id":"LS_
P9JF815TCCKTFOD4O"},"grants":[{"display_name":"yusuke-nojima","canonical_id":"7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0","permissions":["FULL_CONTROL"]}],"creation_time":{"mega_seconds":1447,"seconds":227415,"micro_seconds":682371}}}


HTTP/1.1 403 Forbidden
Server: MochiWeb/1.1 WebMachine/1.10.8 (that head fake, tho)
Date: Wed, 11 Nov 2015 07:36:55 GMT
Content-Length: 162

<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/test</Resource><RequestId></RequestId></Error>


-------------------------
"s3cmd ls" works fine:

$ s3cmd ls
DEBUG: Updating Config.Config encoding -> UTF-8
DEBUG: Updating Config.Config follow_symlinks -> False
DEBUG: Updating Config.Config verbosity -> 30
DEBUG: Unicodising 'ls' using UTF-8
DEBUG: Command: ls
DEBUG: SignHeaders: 'GET\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:47:00 +0000\n/'
DEBUG: CreateRequest: resource[uri]=/
DEBUG: SignHeaders: 'GET\n\n\n\nx-amz-date:Wed, 11 Nov 2015 07:47:00 +0000\n/'
DEBUG: Processing request, please wait...
DEBUG: get_hostname(None): s3.amazonaws.com
DEBUG: format_uri(): http://s3.amazonaws.com/
DEBUG: Sending request method_string='GET', uri='http://s3.amazonaws.com/', headers={'content-length': '0', 'Authorization': 'AWS LS_P9JF815TCCKTFOD4O:y6iQZ6mli0mMQ7n7V/a1hJti0r8=', 'x-amz-date': 'Wed, 11 Nov 2015 07:47:00 +0000'}, body=(0 bytes)
DEBUG: Response: {'status': 200, 'headers': {'date': 'Wed, 11 Nov 2015 07:47:00 GMT', 'content-length': '273', 'content-type': 'application/xml', 'server': 'Riak CS'}, 'reason': 'OK', 'data': '<?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>7a48a8c7c33b1f9e72793cd06e4ca9b505389543bf17f3c056be289d17d10bc0</ID><DisplayName>yusuke-nojima</DisplayName></Owner><Buckets/></ListAllMyBucketsResult>'}

-------------------------




More information about the riak-users mailing list