If encryption is required on s3 bucket through bucket policy, output cannot start #146
Labels
Comments
|
We can skip this check using validate_credentials_on_root_bucket => false - not sure if this is an appropriate workaround, though? Having the validation might still be useful in the case of the encrypted buckets. |
|
Duplicate of #132. |
Closed
|
I believe that was fixed in 4.0.12. Please re-open if you find this to not be the case. |
robbavey
added a commit
to robbavey/logstash-output-s3
that referenced
this issue
Aug 28, 2018
Pass 'upload_options' hash through to the bucket upload_test_file method to fix issues where permission errors were happening when trying to validate permissions on buckets with an 'encryption required' policy. Fixes logstash-plugins#188, logstash-plugins#146, logstash-plugins#132
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Working on Logstash 5.4.1 on OSX
Config file:
If bucket policy is set up like:
I will consistently get an error like:
[2017-06-16T13:53:38,921][ERROR][logstash.outputs.s3 ] Error validating bucket write permissions! {:message=>"Access Denied", :class=>"Aws::S3::Errors::AccessDenied"}
I believe this is because logstash-output-s3/lib/logstash/outputs/s3/write_bucket_permission_validator.rb attempts to create a file to check that it has write permissions. Due to the bucket policy, since the file that write_bucket_permission_validator.rb attempts to write is not encrypted, it is rejected and logstash decides that it can't output to s3.
If I remove the bucket policy, I am able to write encrypted data to the bucket.
It would be valuable if write_bucket_permission_validator and/or writable_directory_validator.rb were configured to take encryption settings in the output parameterization into account when validating write access.
The text was updated successfully, but these errors were encountered: