Support » Plugin: BackWPup - WordPress Backup Plugin » v3.6.10 requires s3:ListAllMyBuckets

  • G’day Inpsyde,

    I’ve been holding off v3.6.10 waiting for a fix for the S3 multipart problem, but I just did a couple of tests now and have found another S3 problem.

    Prior to v3.6.10, it was possible to create a backup job for an S3 bucket without having the s3:ListAllMyBuckets privilege. When an API key had no such privilege, the drop-down list of buckets was replaced by a text field.

    Instead, v3.6.10 displays an error and will not allow a bucket name to be entered directly.

    Error executing “ListBuckets” on “https://s3.us-west-2.amazonaws.com/”; AWS HTTP error: Client error: GET https://s3.us-west-2.amazonaws.com/ resulted in a 403 Forbidden response: <?xml version=”1.0″ encoding=”UTF-8″?> <Error>AccessDenied<Message>Access Denied</Message><RequestId>XXXXXX (truncated…) AccessDenied (client): Access Denied – <?xml version=”1.0″ encoding=”UTF-8″?> <Error>AccessDenied<Message>Access Denied</Message><RequestId>XXXXXXXXXXXXXXXXXX</RequestId><HostId>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</HostId></Error>

    This error goes away when s3:ListAllMyBuckets privilege is added to the API key’s role, but of course that’s a security problem and must not be required for a secure backup.

    cheers,
    Ross

Viewing 13 replies - 1 through 13 (of 13 total)
  • I can’t download created zip archives in version 3.6.10.

    Plugin Support duongcuong96

    (@duongcuong96)

    Hi @webaware
    Thank you again for reporting the issue, I forwarded our devs about this ^^

    My backups have been failing because of this s3:ListAllMyBuckets requirement, also. Is there any news on this? Thanks.

    Why this change?

    Plugin Support duongcuong96

    (@duongcuong96)

    @bojates
    You can grant ListAllMyBuckets permission or temproary downgrade to the version 3.6.9.
    @gcc32
    Because that permission is needed to select a bucket from the list, but since it caused a pretty much report like this, I also requested to change this behavior to something like the old 3.6.9 version, will let you know after I got something new.

    Plugin Support duongcuong96

    (@duongcuong96)

    Hi @gcc32 @bojates @javadev @webaware
    Could you please try again with the 3.6.11 beta here:
    https://www.dropbox.com/s/fox8ccq5jcwrbk8/backwpup-3.6.11-868ce3dd.zip?dl=0
    Thank you all!

    bojates

    (@bojates)

    Hi, thanks very much for this. With that version I’m now getting the option to enter a bucket name, but it’s still failing. It’s saying the bucket doesn’t exist. I’ve tried entering the bucket (I’ve changed the name below) in these formats, and they all fail:

    [15-Aug-2019 15:29:34] ERROR: S3 Bucket “mybucket-backups” does not exist!
    [15-Aug-2019 15:29:07] ERROR: S3 Bucket “mybucket-backups/” does not exist!
    [15-Aug-2019 15:28:33] ERROR: S3 Bucket “s3://mybucket-backups” does not exist!
    [15-Aug-2019 15:28:06] ERROR: S3 Bucket “s3://mybucket-backups/” does not exist!

    Should I be using a different format?

    Thanks!

    Plugin Support duongcuong96

    (@duongcuong96)

    Hi @bojates
    Could you check if you selected a correct S3 destination?

    bojates

    (@bojates)

    Hi, yes, I’ve checked and the correct S3 destination is chosen.

    webaware

    (@webaware)

    G’day duongcuong96,

    That works well on my simple test environment, I can enter the key/secret and then enter the bucket name. Looking good, thanks for your efforts!

    cheers,
    Ross

    Plugin Support duongcuong96

    (@duongcuong96)

    Hi @webaware
    Could you please try with the live system?
    Thank you very much!

    webaware

    (@webaware)

    G’day duongcuong96,

    Looking at the changes between .10 and .11, I can’t see where you’ve fixed the problem of large S3 uploads failing due to not using multipart uploads, so I have only run it on a small site. Works fine! Any news on S3 multipart uploads?

    cheers,
    Ross

    bojates

    (@bojates)

    I’ve been investigating this further. When I add ListAllMyBuckets to the permissions, I am able to select the bucket from a dropdown in the backup setup. However, when I try to backup, I get a failure that suggests it can’t find the bucket:

    [29-Aug-2019 17:56:17] 1. Trying to send backup file to S3 Service …
    [29-Aug-2019 17:56:18] ERROR: S3 Bucket “mybucket-backups” does not exist!

    I now think this might be because I have configured my bucket to only allow the user to write to their own folder. I have multiple users accessing the bucket, and they can’t see each other’s folders. This is my permissions setup at AWS (prior to the change to allow ListAllMyBuckets).

    {
    “Version”: “2012-10-17”,
    “Statement”: [
    {
    “Effect”: “Allow”,
    “Action”: [
    “s3:AbortMultipartUpload”,
    “s3:GetBucketLocation”,
    “s3:ListBucketMultipartUploads”
    ],
    “Resource”: [
    “arn:aws:s3:::mybucket-backups”
    ]
    },
    {
    “Effect”: “Allow”,
    “Action”: [
    “s3:ListBucket”
    ],
    “Resource”: [
    “arn:aws:s3:::mybucket-backups”
    ],
    “Condition”: {
    “StringLike”: {
    “s3:prefix”: [
    “${aws:username}/*”
    ]
    }
    }
    },
    {
    “Effect”: “Allow”,
    “Action”: [
    “s3:GetBucketLocation”,
    “s3:ListBucket”,
    “s3:ListBucketMultipartUploads”
    ],
    “Resource”: [
    “arn:aws:s3:::mybucket-backups/${aws:username}”
    ]
    },
    {
    “Effect”: “Allow”,
    “Action”: [
    “s3:AbortMultipartUpload”,
    “s3:DeleteObject”,
    “s3:GetObject”,
    “s3:GetObjectAcl”,
    “s3:PutObject”,
    “s3:PutObjectAcl”
    ],
    “Resource”: [
    “arn:aws:s3:::mybucket-backups/${aws:username}/*”
    ]
    }
    ]
    }

Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.