--s3-acl bucket-owner-full-control not recognized

Suspected Bug
1

What is the problem you are having with rclone?

Identical to the problem reported here except the proposed solution does not work for me.

Briefly:

We have permissions set up so that a specific user account needs to use the "bucket-owner-full-control" ACL in order to be able to write to a specific S3 bucket.

If I do that in the AWS CLI, it works:

$ aws s3 cp hi  s3://fh-pi-holland-e-eco/test/test.txt --acl bucket-owner-full-control
upload: ./hi to s3://fh-pi-holland-e-eco/test/test.txt
$

I tried the solution proposed in the above-linked GitHub issue, but it did not work. See below.

Run the command 'rclone version' and share the full output of the command.

$ rclone version
rclone v1.64.0
- os/version: ubuntu 18.04 (64 bit)
- os/kernel: 4.15.0-192-generic (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.21.1
- go/linking: static
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

AWS S3

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone -vv copyto ./hi s3:fh-pi-holland-e-eco/test/test.txt

The rclone config contents with secrets removed.

[s3]
type = s3
env_auth = true
region = us-west-2
provider = AWS
acl = bucket-owner-full-control
location_constraint = us-west-2
server_side_encryption = aws:kms

A log from the command with the -vv flag

2023/09/15 10:29:18 DEBUG : rclone: Version "v1.64.0" starting with parameters ["rclone" "-vv" "copyto" "./hi" "s3:fh-pi-holland-e-eco/test/test.txt"]
2023/09/15 10:29:18 DEBUG : Creating backend with remote "./hi"
2023/09/15 10:29:18 DEBUG : Using config file from "/home/dtenenba/.rclone.conf"
2023/09/15 10:29:18 DEBUG : fs cache: adding new entry for parent of "./hi", "/home/dtenenba"
2023/09/15 10:29:18 DEBUG : Creating backend with remote "s3:fh-pi-holland-e-eco/test/"
2023/09/15 10:29:18 DEBUG : fs cache: renaming cache item "s3:fh-pi-holland-e-eco/test/" to be canonical "s3:fh-pi-holland-e-eco/test"
2023/09/15 10:29:19 DEBUG : hi: Need to transfer - File not found at Destination
2023/09/15 10:29:19 ERROR : hi: Failed to copy: failed to prepare upload: AccessDenied: Access Denied
	status code: 403, request id: 0V2P95A15S45P2KG, host id: LN8sj7+SCn8TMXr+QE/bb9l/btzcHIEYNrSFLf4XlAPY9V9Z/WslRQ3fTFRxx7PlYz+jr8O0Of5Bze61Jlkffw==
2023/09/15 10:29:19 ERROR : Attempt 1/3 failed with 1 errors and: failed to prepare upload: AccessDenied: Access Denied
	status code: 403, request id: 0V2P95A15S45P2KG, host id: LN8sj7+SCn8TMXr+QE/bb9l/btzcHIEYNrSFLf4XlAPY9V9Z/WslRQ3fTFRxx7PlYz+jr8O0Of5Bze61Jlkffw==
2023/09/15 10:29:19 DEBUG : hi: Need to transfer - File not found at Destination
2023/09/15 10:29:19 ERROR : hi: Failed to copy: failed to prepare upload: AccessDenied: Access Denied
	status code: 403, request id: 0V2VA11RHQ2VK59M, host id: asQOEBm3V09G1heItuteIS6/Di2VvNJIVZ7I9yp+ehcQ7AxZb/Pe8YXapBc6qsGLtRJCQKwsg9o=
2023/09/15 10:29:19 ERROR : Attempt 2/3 failed with 1 errors and: failed to prepare upload: AccessDenied: Access Denied
	status code: 403, request id: 0V2VA11RHQ2VK59M, host id: asQOEBm3V09G1heItuteIS6/Di2VvNJIVZ7I9yp+ehcQ7AxZb/Pe8YXapBc6qsGLtRJCQKwsg9o=
2023/09/15 10:29:19 DEBUG : hi: Need to transfer - File not found at Destination
2023/09/15 10:29:19 ERROR : hi: Failed to copy: failed to prepare upload: AccessDenied: Access Denied
	status code: 403, request id: 0V2P1MW8JGMBVYMD, host id: 46hIBBarcyeYoAxD45zRRohKZuwl8ubjnk3Fkj9c+KpqKPMzsto/ORjaEKHcyaC/oLFniSAekHw=
2023/09/15 10:29:19 ERROR : Attempt 3/3 failed with 1 errors and: failed to prepare upload: AccessDenied: Access Denied
	status code: 403, request id: 0V2P1MW8JGMBVYMD, host id: 46hIBBarcyeYoAxD45zRRohKZuwl8ubjnk3Fkj9c+KpqKPMzsto/ORjaEKHcyaC/oLFniSAekHw=
2023/09/15 10:29:19 INFO  :
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Errors:                 1 (retrying may help)
Elapsed time:         0.3s

2023/09/15 10:29:19 DEBUG : 5 go routines active
2023/09/15 10:29:19 Failed to copyto: failed to prepare upload: AccessDenied: Access Denied
	status code: 403, request id: 0V2P1MW8JGMBVYMD, host id: 46hIBBarcyeYoAxD45zRRohKZuwl8ubjnk3Fkj9c+KpqKPMzsto/ORjaEKHcyaC/oLFniSAekHw=

Also, although I understand that modifying the config file is the "correct" way to solve this issue, I would really prefer a solution that I can use on the command line (as part of the rclone command), because we have a GUI webapp built on top of rclone and it is set up to run without a config file, passing everything we need either as an environment variable or a command-line flag. Users do not necessarily have ~/.rclone.conf files or if they do, we can't count on them having the correct contents. So I really hope there is a way to make this work that does not depend on the config file.

FWIW, I get the same results when using --s3-acl bucket-owner-full-control.

Thank you!

2

BTW, I think this might be a regression. If I use v1.47.0, I do not have this problem. I have a different problem though:

$ rclone-v1.47.0-linux-amd64/rclone -vv copyto ./hi  s3:fh-pi-holland-e-eco/test/test.txt
2023/09/15 11:30:18 DEBUG : rclone: Version "v1.47.0" starting with parameters ["rclone-v1.47.0-linux-amd64/rclone" "-vv" "copyto" "./hi" "s3:fh-pi-holland-e-eco/test/test.txt"]
2023/09/15 11:30:18 DEBUG : Using config file from "/home/dtenenba/.rclone.conf"
2023/09/15 11:30:18 DEBUG : hi: Couldn't find file - need to transfer
2023/09/15 11:30:18 ERROR : test.txt: corrupted on transfer: MD5 hash differ "764efa883dda1e11db47671c4a3bbd9e" vs "1e89d4325c3e754de1c0423effbb9f6c"
2023/09/15 11:30:18 INFO  : test.txt: Removing failed copy
2023/09/15 11:30:18 ERROR : Attempt 1/3 failed with 2 errors and: corrupted on transfer: MD5 hash differ "764efa883dda1e11db47671c4a3bbd9e" vs "1e89d4325c3e754de1c0423effbb9f6c"
2023/09/15 11:30:18 DEBUG : hi: Couldn't find file - need to transfer
2023/09/15 11:30:19 ERROR : test.txt: corrupted on transfer: MD5 hash differ "764efa883dda1e11db47671c4a3bbd9e" vs "07f7cee45aec7f5d3d6cb69f07ff303e"
2023/09/15 11:30:19 INFO  : test.txt: Removing failed copy
2023/09/15 11:30:19 ERROR : Attempt 2/3 failed with 2 errors and: corrupted on transfer: MD5 hash differ "764efa883dda1e11db47671c4a3bbd9e" vs "07f7cee45aec7f5d3d6cb69f07ff303e"
2023/09/15 11:30:19 DEBUG : hi: Couldn't find file - need to transfer
2023/09/15 11:30:19 ERROR : test.txt: corrupted on transfer: MD5 hash differ "764efa883dda1e11db47671c4a3bbd9e" vs "e9eb0598b7d446be4ffdb986724020d7"
2023/09/15 11:30:19 INFO  : test.txt: Removing failed copy
2023/09/15 11:30:19 ERROR : Attempt 3/3 failed with 2 errors and: corrupted on transfer: MD5 hash differ "764efa883dda1e11db47671c4a3bbd9e" vs "e9eb0598b7d446be4ffdb986724020d7"
2023/09/15 11:30:19 Failed to copyto: corrupted on transfer: MD5 hash differ "764efa883dda1e11db47671c4a3bbd9e" vs "e9eb0598b7d446be4ffdb986724020d7"

If I comment out the acl = bucket-owner-full-control line in my rclone.conf then I get this:

$ rclone-v1.47.0-linux-amd64/rclone -vv copyto ./hi  s3:fh-pi-holland-e-eco/test/test.txt
2023/09/15 11:31:18 DEBUG : rclone: Version "v1.47.0" starting with parameters ["rclone-v1.47.0-linux-amd64/rclone" "-vv" "copyto" "./hi" "s3:fh-pi-holland-e-eco/test/test.txt"]
2023/09/15 11:31:18 DEBUG : Using config file from "/home/dtenenba/.rclone.conf"
2023/09/15 11:31:18 DEBUG : hi: Couldn't find file - need to transfer
2023/09/15 11:31:18 ERROR : hi: Failed to copy: s3 upload: 403 Forbidden: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>09T4XKHKHX512Q5T</RequestId><HostId>Y4AASGPfIkgbQcRDyTGdHsZaBn0GKRMt/e954RfHHuSpDhCqRi4b1849b7W67XG+1LKyf1ZgahE=</HostId></Error>
2023/09/15 11:31:18 ERROR : Attempt 1/3 failed with 2 errors and: s3 upload: 403 Forbidden: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>09T4XKHKHX512Q5T</RequestId><HostId>Y4AASGPfIkgbQcRDyTGdHsZaBn0GKRMt/e954RfHHuSpDhCqRi4b1849b7W67XG+1LKyf1ZgahE=</HostId></Error>
2023/09/15 11:31:19 DEBUG : hi: Couldn't find file - need to transfer
2023/09/15 11:31:19 ERROR : hi: Failed to copy: s3 upload: 403 Forbidden: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>MW4EDG29HV306ZSM</RequestId><HostId>EhyXJffRscFThNasadeeBr6IkZymK8bsM3zWuKJNrb/24ZmdOagYShqxFz0e8sN8pNNwR9O6xd4=</HostId></Error>
2023/09/15 11:31:19 ERROR : Attempt 2/3 failed with 2 errors and: s3 upload: 403 Forbidden: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>MW4EDG29HV306ZSM</RequestId><HostId>EhyXJffRscFThNasadeeBr6IkZymK8bsM3zWuKJNrb/24ZmdOagYShqxFz0e8sN8pNNwR9O6xd4=</HostId></Error>
2023/09/15 11:31:19 DEBUG : hi: Couldn't find file - need to transfer
2023/09/15 11:31:19 ERROR : hi: Failed to copy: s3 upload: 403 Forbidden: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>MW46MYHYMJJ429EJ</RequestId><HostId>iboVLGLXhRU4xqkQBjOQKmTP1ZkUr7FY68lv2slHEsHYVIIC6YuPMBOq1aO3y9TEX2mTxDFk4OI=</HostId></Error>
2023/09/15 11:31:19 ERROR : Attempt 3/3 failed with 2 errors and: s3 upload: 403 Forbidden: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>MW46MYHYMJJ429EJ</RequestId><HostId>iboVLGLXhRU4xqkQBjOQKmTP1ZkUr7FY68lv2slHEsHYVIIC6YuPMBOq1aO3y9TEX2mTxDFk4OI=</HostId></Error>
2023/09/15 11:31:19 Failed to copyto: s3 upload: 403 Forbidden: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>MW46MYHYMJJ429EJ</RequestId><HostId>iboVLGLXhRU4xqkQBjOQKmTP1ZkUr7FY68lv2slHEsHYVIIC6YuPMBOq1aO3y9TEX2mTxDFk4OI=</HostId></Error>

This tells me that v1.47.0 recognizes the presence of --acl bucket-owner-public-read and behaves differently depending on whether it is present or not, and v1.64.0 does not seem to.

It's not so important to me to find out why I got that data corrupted error, because I don't intend to go back and use older versions of rclone, but I did want to point out that this seems to be a regression.

EDIT: The file corruption error was due to the server_side_encryption = aws:kms line in rclone.conf. Commenting that line out makes the transfer work. We are going to go back to v1.47.0 until this is fixed.

Thanks

3

The usual solution to this problem is

  --s3-no-check-bucket      If set, don't attempt to check the bucket exists or create it

Which you can put in the config file as no_check_bucket = true

4

That does work. So it's not a regression I guess but it is a behavior change from older versions (such as v1.47.0) which did not require --s3-no-check-bucket (i guess that flag didn't exist in that version?).

Thank you!

1 Like
5

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.