Unable to upload file to bucket with PUT only IAM policy

CarlP · October 31, 2023, 3:40pm

What is the problem you are having with rclone?

I created a simple IAM policy to only allow "s3:PutObject" on 4 buckets, and I linked this policy to a user.
When I use the s3api, I can upload a file, and I can't "GET" it. That's what I expect.
When I try to upload a file using RClone with the same user to the same bucket, it doesn't work and end with a "forbidden" error.

Here is the IAM Policy :

{
	"Version":"2012-10-17"
	"Statement":[{
			"Effect":"Allow"
			"Resource":[
				"arn:aws:s3:::bucket1/*",
				"arn:aws:s3:::bucket2/*",
				"arn:aws:s3:::bucket3/*",
				"arn:aws:s3:::bucket4/*"
			]
			"Action":"s3:PutObject"
		}
	]
}

Run the command 'rclone version' and share the full output of the command.

rclone v1.64.0

os/version: Microsoft Windows Server 2022 Standard 21H2 (64 bit)
os/kernel: 10.0.20348.2031 (x86_64)
os/type: windows
os/arch: amd64
go/version: go1.21.1
go/linking: static
go/tags: cmount

Which cloud storage system are you using? (eg Google Drive)

I'm using Scality RING 8.5.8.0 (on-prem S3 storage)

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone copy test.txt remote-name:bucket-name/ -vv --log-file=log.log

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[remote-name]
type = s3
provider = Other
access_key_id = XXX
secret_access_key = XXX
endpoint = https://<s3endpoint-url>
acl = private

A log from the command that you were trying to run with the `-vv` flag

2023/10/31 16:19:13 DEBUG : rclone: Version "v1.64.0" starting with parameters ["rclone" "copy" "test.txt" "remote-name:bucket-name/" "-vv" "--log-file=log.log"]
2023/10/31 16:19:13 DEBUG : Creating backend with remote "test.txt"
2023/10/31 16:19:13 DEBUG : Using config file from "C:\\Users\\<user-profile-dir>\\AppData\\Roaming\\rclone\\rclone.conf"
2023/10/31 16:19:13 DEBUG : fs cache: adding new entry for parent of "test.txt", "//?/C:/Temp/rclone-v1.64.0-windows-amd64"
2023/10/31 16:19:13 DEBUG : Creating backend with remote "remote-name:bucket-name/"
2023/10/31 16:19:13 DEBUG : Resolving service "s3" region "us-east-1"
2023/10/31 16:19:13 DEBUG : fs cache: renaming cache item "remote-name:bucket-name/" to be canonical "remote-name:bucket-name"
2023/10/31 16:19:13 ERROR : Attempt 1/3 failed with 1 errors and: Forbidden: Forbidden
	status code: 403, request id: f9cbb552754e9e095ac9, host id: f9cbb552754e9e095ac9
2023/10/31 16:19:13 ERROR : Attempt 2/3 failed with 1 errors and: Forbidden: Forbidden
	status code: 403, request id: e92403540748bbd6dab9, host id: e92403540748bbd6dab9
2023/10/31 16:19:13 ERROR : Attempt 3/3 failed with 1 errors and: Forbidden: Forbidden
	status code: 403, request id: bd78f7e9e84c817c34ae, host id: bd78f7e9e84c817c34ae
2023/10/31 16:19:13 INFO  : 
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Errors:                 1 (retrying may help)
Elapsed time:         0.1s

2023/10/31 16:19:13 DEBUG : 4 go routines active
2023/10/31 16:19:13 Failed to copy: Forbidden: Forbidden
	status code: 403, request id: bd78f7e9e84c817c34ae, host id: bd78f7e9e84c817c34ae

asdffdsa · October 31, 2023, 3:51pm

welcome to the forum,

that is possible, i have done that, i wrote about it in the forum.
i have a script i wrote, i will try to find it.

asdffdsa · October 31, 2023, 4:01pm

maybe this is the topic.
https://forum.rclone.org/t/in-some-cases-rclone-does-not-use-etag-to-verify-files/36095

edit: here is an an example i posted
https://forum.rclone.org/t/copy-to-aws-s3-with-minimal-policy/35136/5?u=asdffdsa

asdffdsa · October 31, 2023, 4:10pm

and this is the policy i used

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::100000065159:user/zork"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::minimal/*",
        "arn:aws:s3:::minimal"
      ]
    }
  ]
}

CarlP · November 2, 2023, 8:43am

Hi asdffdsa, and thanks for your replies.
I just tried using the command you suggest in the other thread :

rclone copy test.txt remote-name:bucket-name -vv --s3-no-check-bucket --s3-no-head --s3-no-head-object

But unfortunately with no luck :

2023/11/02 09:39:43 DEBUG : rclone: Version "v1.64.0" starting with parameters ["rclone" "copy" "test.txt" "remote-name:bucket-name" "-vv" "--s3-no-check-bucket" "--s3-no-head" "--s3-no-head-object"]
2023/11/02 09:39:43 DEBUG : Creating backend with remote "test.txt"
2023/11/02 09:39:43 DEBUG : Using config file from "C:\\Users\\<user_profile_dir>\\AppData\\Roaming\\rclone\\rclone.conf"
2023/11/02 09:39:43 DEBUG : fs cache: adding new entry for parent of "test.txt", "//?/C:/Temp/rclone-v1.64.0-windows-amd64"
2023/11/02 09:39:43 DEBUG : Creating backend with remote "remote-name:bucket-name"
2023/11/02 09:39:43 DEBUG : remote-name: detected overridden config - adding "{ECHgI}" suffix to name
2023/11/02 09:39:43 DEBUG : Resolving service "s3" region "us-east-1"
2023/11/02 09:39:43 DEBUG : fs cache: renaming cache item "remote-name:bucket-name" to be canonical "remote-name:{ECHgI}:bucket-name"
2023/11/02 09:39:43 DEBUG : test.txt: Sizes differ (src 4 vs dst 0)
2023/11/02 09:39:43 ERROR : test.txt: Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: aa72403bb747a203e5d1, host id: aa72403bb747a203e5d1
2023/11/02 09:39:43 ERROR : Attempt 1/3 failed with 1 errors and: AccessDenied: Access Denied
        status code: 403, request id: aa72403bb747a203e5d1, host id: aa72403bb747a203e5d1
2023/11/02 09:39:43 DEBUG : test.txt: Sizes differ (src 4 vs dst 0)
2023/11/02 09:39:43 ERROR : test.txt: Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: c8f47ccc154c8b9ee02a, host id: c8f47ccc154c8b9ee02a
2023/11/02 09:39:43 ERROR : Attempt 2/3 failed with 1 errors and: AccessDenied: Access Denied
        status code: 403, request id: c8f47ccc154c8b9ee02a, host id: c8f47ccc154c8b9ee02a
2023/11/02 09:39:43 DEBUG : test.txt: Sizes differ (src 4 vs dst 0)
2023/11/02 09:39:43 ERROR : test.txt: Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: ff83f360864a8666ad43, host id: ff83f360864a8666ad43
2023/11/02 09:39:43 ERROR : Attempt 3/3 failed with 1 errors and: AccessDenied: Access Denied
        status code: 403, request id: ff83f360864a8666ad43, host id: ff83f360864a8666ad43
2023/11/02 09:39:43 INFO  :
Transferred:             12 B / 12 B, 100%, 0 B/s, ETA -
Errors:                 1 (retrying may help)
Elapsed time:         0.2s

2023/11/02 09:39:43 DEBUG : 5 go routines active
2023/11/02 09:39:43 Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: ff83f360864a8666ad43, host id: ff83f360864a8666ad43

The policy I use is very similar to the one you posted in the other thread, exepct for the part with the "principal". Do you think this part is mandatory ? The policy is linked to the user already.
I've changed the "resource" to eliminate errors :

{
	"Version":"2012-10-17"
	"Statement":[{
			"Effect":"Allow"
			"Resource":[
				"*"
			]
			"Action":"s3:PutObject"
		}
	]
}

I'm very new in this, so pardon me if I seem to ask stupid questions

asdffdsa · November 2, 2023, 1:04pm

TL;DR - not 100% sure, i always use principal. not sure i have ever tried without principal

and now here is the long answer why i always use principal

with my backup script, there are always two level of polices.
--- user policy - requires MFA login, else no access to any s3 resource
--- bucket policy

if you use rclone.conf, and someone stole it, they would have access to your s3 resources.

however, with this user policy, if someone stole your rclone config file, it would be useless to them.
to access S3, would need client_id and client_secret from the config file.
in addition, the backup script would have to generate an additional on-the-fly MFA token which is not contained in the rclone config file.
then after creating the token, would need to feed that to rclone using
Env Var: RCLONE_S3_SESSION_TOKEN

so this is the user policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

and this s the bucket policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::100000065159:user/zork"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::minimal/*",
        "arn:aws:s3:::minimal"
      ]
    }
  ]
}

CarlP · November 3, 2023, 11:05am

I think Scality handles the "Principal" part automatically.
There is an admin console, in which I can create users, groups and policies, and then, I can link policies to groups or users, so it probably adds the "Principal" part to the policies on the fly.
The thing is : it works as expected when I use s3api with aws commands, but not when I use RClone, so the issue doesn't seem to come from the policy.
Here is the aws working command :

aws --region us-east-1 --endpoint-url https://<endpoint_url> --profile user-profile s3api put-object --bucket bucket-name --key test_s3api_file --body /path/to/file --no-verify-ssl

Here is the non working RClone command :

rclone copy test.txt remote-name:bucket-name -vv --s3-no-check-bucket --s3-no-head --s3-no-head-object

In both cases, of course, I use the same user.

ncw · November 3, 2023, 11:17am

Try your test with --dump headers also and it will show exactly which HTTP transaction is failing which should give a clue on how to fix it.

CarlP · November 3, 2023, 1:20pm

Hi ncw.
Here is the output with the "--dump headers" option :

C:\Temp\rclone-v1.64.0-windows-amd64>rclone copy test.txt remote-name:bucket-name -vv --s3-no-check-bucket --s3-no-head --s3-no-head-object --dump headers
2023/11/03 14:11:48 DEBUG : rclone: Version "v1.64.0" starting with parameters ["rclone" "copy" "test.txt" "remote-name:bucket-name" "-vv" "--s3-no-check-bucket" "--s3-no-head" "--s3-no-head-object" "--dump" "headers"]
2023/11/03 14:11:48 DEBUG : Creating backend with remote "test.txt"
2023/11/03 14:11:48 DEBUG : Using config file from "C:\\Users\\<user-profile-dir>\\AppData\\Roaming\\rclone\\rclone.conf"
2023/11/03 14:11:48 DEBUG : fs cache: adding new entry for parent of "test.txt", "//?/C:/Temp/rclone-v1.64.0-windows-amd64"
2023/11/03 14:11:48 DEBUG : Creating backend with remote "remote-name:bucket-name"
2023/11/03 14:11:48 DEBUG : remote-name detected overridden config - adding "{ECHgI}" suffix to name
2023/11/03 14:11:48 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2023/11/03 14:11:48 DEBUG : Resolving service "s3" region "us-east-1"
2023/11/03 14:11:48 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2023/11/03 14:11:48 DEBUG : fs cache: renaming cache item "remote-name:bucket-name" to be canonical "remote-name{ECHgI}:bucket-name"
2023/11/03 14:11:48 DEBUG : test.txt: Sizes differ (src 4 vs dst 0)
2023/11/03 14:11:48 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 14:11:48 DEBUG : HTTP REQUEST (req 0xc000826700)
2023/11/03 14:11:48 DEBUG : PUT /bucket-name/test.txt HTTP/1.1
Host: <endpoint-url>
User-Agent: rclone/v1.64.0
Content-Length: 4
Authorization: XXXX
Content-Md5: 9x2+UmKKP4OnerSUgXUlxg==
Content-Type: text/plain; charset=utf-8
X-Amz-Acl: private
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20231103T131148Z
X-Amz-Meta-Mtime: 1698763782.3666464
Accept-Encoding: gzip

2023/11/03 14:11:48 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 14:11:48 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 14:11:48 DEBUG : HTTP RESPONSE (req 0xc000826700)
2023/11/03 14:11:48 DEBUG : HTTP/1.1 403 Forbidden
Content-Length: 174
Connection: keep-alive
Content-Type: application/xml
Date: Fri, 03 Nov 2023 13:11:48 GMT
Server: openresty
Strict-Transport-Security: max-age=31536000; includeSubdomains ; preload
X-Amz-Id-2: df796f3a784f9523f952
X-Amz-Request-Id: df796f3a784f9523f952

2023/11/03 14:11:49 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 14:11:49 ERROR : test.txt: Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: df796f3a784f9523f952, host id: df796f3a784f9523f952
2023/11/03 14:11:49 ERROR : Attempt 1/3 failed with 1 errors and: AccessDenied: Access Denied
        status code: 403, request id: df796f3a784f9523f952, host id: df796f3a784f9523f952
2023/11/03 14:11:49 DEBUG : test.txt: Sizes differ (src 4 vs dst 0)
2023/11/03 14:11:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 14:11:49 DEBUG : HTTP REQUEST (req 0xc000b30200)
2023/11/03 14:11:49 DEBUG : PUT /bucket-name/test.txt HTTP/1.1
Host: <endpoint-url>
User-Agent: rclone/v1.64.0
Content-Length: 4
Authorization: XXXX
Content-Md5: 9x2+UmKKP4OnerSUgXUlxg==
Content-Type: text/plain; charset=utf-8
X-Amz-Acl: private
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20231103T131149Z
X-Amz-Meta-Mtime: 1698763782.3666464
Accept-Encoding: gzip

2023/11/03 14:11:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 14:11:49 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 14:11:49 DEBUG : HTTP RESPONSE (req 0xc000b30200)
2023/11/03 14:11:49 DEBUG : HTTP/1.1 403 Forbidden
Content-Length: 174
Connection: keep-alive
Content-Type: application/xml
Date: Fri, 03 Nov 2023 13:11:49 GMT
Server: openresty
Strict-Transport-Security: max-age=31536000; includeSubdomains ; preload
X-Amz-Id-2: 65d9e715174ab6192107
X-Amz-Request-Id: 65d9e715174ab6192107

2023/11/03 14:11:49 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 14:11:49 ERROR : test.txt: Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: 65d9e715174ab6192107, host id: 65d9e715174ab6192107
2023/11/03 14:11:49 ERROR : Attempt 2/3 failed with 1 errors and: AccessDenied: Access Denied
        status code: 403, request id: 65d9e715174ab6192107, host id: 65d9e715174ab6192107
2023/11/03 14:11:49 DEBUG : test.txt: Sizes differ (src 4 vs dst 0)
2023/11/03 14:11:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 14:11:49 DEBUG : HTTP REQUEST (req 0xc000b30900)
2023/11/03 14:11:49 DEBUG : PUT /bucket-name/test.txt HTTP/1.1
Host: <endpoint-url>
User-Agent: rclone/v1.64.0
Content-Length: 4
Authorization: XXXX
Content-Md5: 9x2+UmKKP4OnerSUgXUlxg==
Content-Type: text/plain; charset=utf-8
X-Amz-Acl: private
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20231103T131149Z
X-Amz-Meta-Mtime: 1698763782.3666464
Accept-Encoding: gzip

2023/11/03 14:11:49 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 14:11:49 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 14:11:49 DEBUG : HTTP RESPONSE (req 0xc000b30900)
2023/11/03 14:11:49 DEBUG : HTTP/1.1 403 Forbidden
Content-Length: 174
Connection: keep-alive
Content-Type: application/xml
Date: Fri, 03 Nov 2023 13:11:49 GMT
Server: openresty
Strict-Transport-Security: max-age=31536000; includeSubdomains ; preload
X-Amz-Id-2: e2fd01d6b248ac76bb66
X-Amz-Request-Id: e2fd01d6b248ac76bb66

2023/11/03 14:11:49 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 14:11:49 ERROR : test.txt: Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: e2fd01d6b248ac76bb66, host id: e2fd01d6b248ac76bb66
2023/11/03 14:11:49 ERROR : Attempt 3/3 failed with 1 errors and: AccessDenied: Access Denied
        status code: 403, request id: e2fd01d6b248ac76bb66, host id: e2fd01d6b248ac76bb66
2023/11/03 14:11:49 INFO  :
Transferred:             12 B / 12 B, 100%, 0 B/s, ETA -
Errors:                 1 (retrying may help)
Elapsed time:         0.4s

2023/11/03 14:11:49 DEBUG : 5 go routines active
2023/11/03 14:11:49 Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: e2fd01d6b248ac76bb66, host id: e2fd01d6b248ac76bb66

I haven't tried to do the same from a Linux client, but I don't see why it could be different. Should I give it a try ?

asdffdsa · November 3, 2023, 1:56pm

no, that is not the issue.

as a side note, add --retries=1, to keep the log smaller.

rclone seems to behaving correctly based on the --s3-no flags.

without the --s3-no flags, rclone would perform these additional requests before trying to PUT the file

HEAD /file.ext
PUT /

Here is the aws working command :
aws --region us-east-1 --endpoint-url https://<endpoint_url> --profile user-profile s3api put-object --bucket bucket-name --key test_s3api_file --body /path/to/file --no-verify-ssl`

plese post the full debug output including headers.
using a standard rclone bucket policy from the docs, have you been able to upload to scailty?
that command has --no-verify-ssl but your rclone command does not?
that command has --region but your rclone config/command does not?
maybe, with rclone, you are using the incorrect keys or a limited user?

maybe ncw sees something different?
imho, using a put only policy has significant limitations, what is wrong with adding s3:ListBucket?

ncw · November 3, 2023, 3:19pm

Rclone is getting the permission denied at the PUT.

This appears to be allowed by the policy.

So I'm guessing the problem is elsewhere - perhaps the access_key_id or , secret_access_key are wrong? Or it is using the wrong user? Worth a double check I think.

No! I'm well out of my depth with s3 permissions now

CarlP · November 3, 2023, 3:31pm

Hi asdffdsa.

The full debug is at the end of this post.
When modifiying the policy to set "s3:Put*" instead of "s3:PutObject", I'm able to upload files. Here is the output :

C:\Temp\rclone-v1.64.0-windows-amd64>rclone copy test.txt <remote-name>:<bucket-name> -vv --s3-no-check-bucket --s3-no-head --s3-no-head-object --retries=1 --dump headers
2023/11/03 16:20:57 DEBUG : rclone: Version "v1.64.0" starting with parameters ["rclone" "copy" "test.txt" "<remote-name>:<bucket-name>" "-vv" "--s3-no-check-bucket" "--s3-no-head" "--s3-no-head-object" "--retries=1" "--dump" "headers"]
2023/11/03 16:20:57 DEBUG : Creating backend with remote "test.txt"
2023/11/03 16:20:57 DEBUG : Using config file from "C:\\Users\\<user-profile-dir>\\AppData\\Roaming\\rclone\\rclone.conf"
2023/11/03 16:20:57 DEBUG : fs cache: adding new entry for parent of "test.txt", "//?/C:/Temp/rclone-v1.64.0-windows-amd64"
2023/11/03 16:20:57 DEBUG : Creating backend with remote "<remote-name>:<bucket-name>"
2023/11/03 16:20:57 DEBUG : <remote-name>: detected overridden config - adding "{ECHgI}" suffix to name
2023/11/03 16:20:57 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2023/11/03 16:20:57 DEBUG : Resolving service "s3" region "us-east-1"
2023/11/03 16:20:57 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2023/11/03 16:20:57 DEBUG : fs cache: renaming cache item "<remote-name>:<bucket-name>" to be canonical "<remote-name>{ECHgI}:<bucket-name>"
2023/11/03 16:20:57 DEBUG : test.txt: Sizes differ (src 4 vs dst 0)
2023/11/03 16:20:57 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 16:20:57 DEBUG : HTTP REQUEST (req 0xc0008ca700)
2023/11/03 16:20:57 DEBUG : PUT /<bucket-name>/test.txt HTTP/1.1
Host: vip-scring.ceb.org
User-Agent: rclone/v1.64.0
Content-Length: 4
Authorization: XXXX
Content-Md5: 9x2+UmKKP4OnerSUgXUlxg==
Content-Type: text/plain; charset=utf-8
X-Amz-Acl: private
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20231103T152057Z
X-Amz-Meta-Mtime: 1698763782.3666464
Accept-Encoding: gzip

2023/11/03 16:20:57 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2023/11/03 16:20:57 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 16:20:57 DEBUG : HTTP RESPONSE (req 0xc0008ca700)
2023/11/03 16:20:57 DEBUG : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Date: Fri, 03 Nov 2023 15:20:57 GMT
Etag: "f71dbe52628a3f83a77ab494817525c6"
Server: openresty
Strict-Transport-Security: max-age=31536000; includeSubdomains ; preload
X-Amz-Id-2: f983af431948a2295535
X-Amz-Request-Id: f983af431948a2295535
X-Amz-Version-Id: 3938333030393735313432383137393939393939524730303120203931322e31393532362e3430

2023/11/03 16:20:57 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2023/11/03 16:20:57 DEBUG : test.txt: md5 = f71dbe52628a3f83a77ab494817525c6 OK
2023/11/03 16:20:57 INFO  : test.txt: Copied (replaced existing)
2023/11/03 16:20:57 INFO  :
Transferred:              4 B / 4 B, 100%, 0 B/s, ETA -
Transferred:            1 / 1, 100%
Elapsed time:         0.2s

2023/11/03 16:20:57 DEBUG : 5 go routines active

The --no-verify-ssl is set because the machine from which I use aws commands doesn't have the internal root CA certificate. Anyway, I just tried with --no-check-certificate for rclone, but it doesn't help.
I'm using the same keys in both cases.

Full log from aws command :

[root@sv-ceb-scsup01 ~]# aws --region us-east-1 --endpoint-url https://<endpoint-url> --profile <user-profile> s3api put-object --bucket <bucket-name> --key test_s3api_file --body /root/ssacli-all-config.log --no-verify-ssl --debug
2023-11-03 15:56:53,665 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.24.10 Python/3.6.8 Linux/4.18.0-477.27.1.el8_8.x86_64 botocore/1.26.10
2023-11-03 15:56:53,666 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--region', 'us-east-1', '--endpoint-url', 'https://<endpoint-url>', '--profile', '<user-profile>', 's3api', 'put-object', '--bucket', '<bucket-name>', '--key', 'test_s3api_file', '--body', '/root/ssacli-all-config.log', '--no-verify-ssl', '--debug']
2023-11-03 15:56:53,666 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x7f29f5986d90>
2023-11-03 15:56:53,666 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7f29f6781510>
2023-11-03 15:56:53,666 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7f29f67342f0>
2023-11-03 15:56:53,668 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2023-11-03 15:56:53,670 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2023-11-03 15:56:53,670 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7f29f5ab38c8>
2023-11-03 15:56:53,673 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /srv/scality/s3/s3-offline-7.10.8.0/venv/lib/python3.6/site-packages/botocore/data/s3/2006-03-01/service-2.json
2023-11-03 15:56:53,685 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3api: calling handler <function add_waiters at 0x7f29f59122f0>
2023-11-03 15:56:53,693 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /srv/scality/s3/s3-offline-7.10.8.0/venv/lib/python3.6/site-packages/botocore/data/s3/2006-03-01/waiters-2.json
2023-11-03 15:56:53,696 - MainThread - awscli.clidriver - DEBUG - OrderedDict([('acl', <awscli.arguments.CLIArgument object at 0x7f29f54d4ac8>), ('body', <awscli.arguments.CLIArgument object at 0x7f29f54d4b38>), ('bucket', <awscli.arguments.CLIArgument object at 0x7f29f54d4ba8>), ('cache-control', <awscli.arguments.CLIArgument object at 0x7f29f54d4be0>), ('content-disposition', <awscli.arguments.CLIArgument object at 0x7f29f54d4c18>), ('content-encoding', <awscli.arguments.CLIArgument object at 0x7f29f54d4c88>), ('content-language', <awscli.arguments.CLIArgument object at 0x7f29f54d4c50>), ('content-length', <awscli.arguments.CLIArgument object at 0x7f29f54d4cc0>), ('content-md5', <awscli.arguments.CLIArgument object at 0x7f29f54d4cf8>), ('content-type', <awscli.arguments.CLIArgument object at 0x7f29f54d4d68>), ('checksum-algorithm', <awscli.arguments.CLIArgument object at 0x7f29f54d4d30>), ('checksum-crc32', <awscli.arguments.CLIArgument object at 0x7f29f54d4da0>), ('checksum-crc32-c', <awscli.arguments.CLIArgument object at 0x7f29f54d4dd8>), ('checksum-sha1', <awscli.arguments.CLIArgument object at 0x7f29f54d4e10>), ('checksum-sha256', <awscli.arguments.CLIArgument object at 0x7f29f54d4e48>), ('expires', <awscli.arguments.CLIArgument object at 0x7f29f54d4eb8>), ('grant-full-control', <awscli.arguments.CLIArgument object at 0x7f29f54d4ef0>), ('grant-read', <awscli.arguments.CLIArgument object at 0x7f29f54d4f28>), ('grant-read-acp', <awscli.arguments.CLIArgument object at 0x7f29f54d4f60>), ('grant-write-acp', <awscli.arguments.CLIArgument object at 0x7f29f54d4f98>), ('key', <awscli.arguments.CLIArgument object at 0x7f29f568c048>), ('metadata', <awscli.arguments.CLIArgument object at 0x7f29f568c080>), ('server-side-encryption', <awscli.arguments.CLIArgument object at 0x7f29f568c0b8>), ('storage-class', <awscli.arguments.CLIArgument object at 0x7f29f568c0f0>), ('website-redirect-location', <awscli.arguments.CLIArgument object at 0x7f29f568c128>), ('sse-customer-algorithm', <awscli.arguments.CLIArgument object at 0x7f29f568c160>), ('sse-customer-key', <awscli.arguments.CLIArgument object at 0x7f29f568c198>), ('sse-customer-key-md5', <awscli.arguments.CLIArgument object at 0x7f29f568c1d0>), ('ssekms-key-id', <awscli.arguments.CLIArgument object at 0x7f29f568c208>), ('ssekms-encryption-context', <awscli.arguments.CLIArgument object at 0x7f29f568c240>), ('bucket-key-enabled', <awscli.arguments.BooleanArgument object at 0x7f29f568c278>), ('no-bucket-key-enabled', <awscli.arguments.BooleanArgument object at 0x7f29f568c2b0>), ('request-payer', <awscli.arguments.CLIArgument object at 0x7f29f568c2e8>), ('tagging', <awscli.arguments.CLIArgument object at 0x7f29f568c358>), ('object-lock-mode', <awscli.arguments.CLIArgument object at 0x7f29f54d02e8>), ('object-lock-retain-until-date', <awscli.arguments.CLIArgument object at 0x7f29f54d0f28>), ('object-lock-legal-hold-status', <awscli.arguments.CLIArgument object at 0x7f29f5894550>), ('expected-bucket-owner', <awscli.arguments.CLIArgument object at 0x7f29f589f080>)])
2023-11-03 15:56:53,696 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.put-object: calling handler <function add_streaming_output_arg at 0x7f29f59880d0>
2023-11-03 15:56:53,696 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.put-object: calling handler <function add_cli_input_json at 0x7f29f6734950>
2023-11-03 15:56:53,697 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.put-object: calling handler <function unify_paging_params at 0x7f29f5a09488>
2023-11-03 15:56:53,704 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /srv/scality/s3/s3-offline-7.10.8.0/venv/lib/python3.6/site-packages/botocore/data/s3/2006-03-01/paginators-1.json
2023-11-03 15:56:53,704 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.put-object: calling handler <function add_generate_skeleton at 0x7f29f59ed400>
2023-11-03 15:56:53,705 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.s3api.put-object: calling handler <bound method OverrideRequiredArgsArgument.override_required_args of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7f29f568c3c8>>
2023-11-03 15:56:53,705 - MainThread - botocore.hooks - DEBUG - Event before-building-argument-table-parser.s3api.put-object: calling handler <bound method GenerateCliSkeletonArgument.override_required_args of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f29f568c400>>
2023-11-03 15:56:53,707 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.acl: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,707 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.body: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,707 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.s3.put-object: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f29f67800f0>
2023-11-03 15:56:53,707 - MainThread - awscli.arguments - DEBUG - Unpacked value of '/root/ssacli-all-config.log' for parameter "body": <_io.BufferedReader name='/root/ssacli-all-config.log'>
2023-11-03 15:56:53,707 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.bucket: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,707 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.s3.put-object: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f29f67800f0>
2023-11-03 15:56:53,708 - MainThread - awscli.arguments - DEBUG - Unpacked value of '<bucket-name>' for parameter "bucket": '<bucket-name>'
2023-11-03 15:56:53,708 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.cache-control: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,708 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.content-disposition: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,708 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.content-encoding: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,708 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.content-language: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,708 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.content-length: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,709 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.content-md5: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,709 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.content-type: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,709 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.checksum-algorithm: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,709 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.checksum-crc32: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,709 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.checksum-crc32-c: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,709 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.checksum-sha1: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,710 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.checksum-sha256: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,710 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.expires: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,710 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.grant-full-control: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,710 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.grant-read: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,710 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.grant-read-acp: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,711 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.grant-write-acp: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,711 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.key: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,711 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.s3.put-object: calling handler <awscli.argprocess.ParamShorthandParser object at 0x7f29f67800f0>
2023-11-03 15:56:53,711 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'test_s3api_file' for parameter "key": 'test_s3api_file'
2023-11-03 15:56:53,711 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.metadata: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,711 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.server-side-encryption: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,711 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.storage-class: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,711 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.website-redirect-location: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,712 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.sse-customer-algorithm: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,712 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.sse-customer-key: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,712 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.sse-customer-key-md5: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,712 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.ssekms-key-id: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,712 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.ssekms-encryption-context: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,712 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.bucket-key-enabled: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,713 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.request-payer: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,713 - MainThread - botocore.hooks - DEBUG - Changing event name from load-cli-arg.s3.put-object.tagging to load-cli-arg.s3.put-object.resource-groups-tagging-api
2023-11-03 15:56:53,713 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.resource-groups-tagging-api: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,713 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.object-lock-mode: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,713 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.object-lock-retain-until-date: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,713 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.object-lock-legal-hold-status: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,714 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.expected-bucket-owner: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,714 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.cli-input-json: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,714 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.put-object.generate-cli-skeleton: calling handler <awscli.paramfile.URIArgumentHandler object at 0x7f29fb7dbe80>
2023-11-03 15:56:53,714 - MainThread - botocore.hooks - DEBUG - Event calling-command.s3api.put-object: calling handler <bound method CliInputJSONArgument.add_to_call_parameters of <awscli.customizations.cliinputjson.CliInputJSONArgument object at 0x7f29f568c3c8>>
2023-11-03 15:56:53,714 - MainThread - botocore.hooks - DEBUG - Event calling-command.s3api.put-object: calling handler <bound method GenerateCliSkeletonArgument.generate_json_skeleton of <awscli.customizations.generatecliskeleton.GenerateCliSkeletonArgument object at 0x7f29f568c400>>
2023-11-03 15:56:53,714 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2023-11-03 15:56:53,715 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2023-11-03 15:56:53,715 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2023-11-03 15:56:53,715 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2023-11-03 15:56:53,715 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2023-11-03 15:56:53,716 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /srv/scality/s3/s3-offline-7.10.8.0/venv/lib/python3.6/site-packages/botocore/data/endpoints.json
2023-11-03 15:56:53,733 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /srv/scality/s3/s3-offline-7.10.8.0/venv/lib/python3.6/site-packages/botocore/data/sdk-default-configuration.json
2023-11-03 15:56:53,733 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7f29f74a67b8>
2023-11-03 15:56:53,736 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x7f29f76fd8c8>
2023-11-03 15:56:53,736 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x7f29f76fd6a8>
2023-11-03 15:56:53,739 - MainThread - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2023-11-03 15:56:53,740 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /srv/scality/s3/s3-offline-7.10.8.0/venv/lib/python3.6/site-packages/botocore/data/_retry.json
2023-11-03 15:56:53,740 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: s3
2023-11-03 15:56:53,742 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.PutObject: calling handler <function validate_ascii_metadata at 0x7f29f743f950>
2023-11-03 15:56:53,742 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.PutObject: calling handler <function sse_md5 at 0x7f29f743bd90>
2023-11-03 15:56:53,742 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.PutObject: calling handler <function convert_body_to_file_like_object at 0x7f29f7443268>
2023-11-03 15:56:53,742 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.PutObject: calling handler <function validate_bucket_name at 0x7f29f743bd08>
2023-11-03 15:56:53,742 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.PutObject: calling handler <bound method S3RegionRedirector.redirect_from_cache of <botocore.utils.S3RegionRedirector object at 0x7f29f51fca20>>
2023-11-03 15:56:53,742 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.PutObject: calling handler <bound method S3ArnParamHandler.handle_arn of <botocore.utils.S3ArnParamHandler object at 0x7f29f51df0f0>>
2023-11-03 15:56:53,742 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.PutObject: calling handler <function generate_idempotent_uuid at 0x7f29f743bb70>
2023-11-03 15:56:53,743 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.PutObject: calling handler <function conditionally_calculate_md5 at 0x7f29f7de8a60>
2023-11-03 15:56:53,743 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.PutObject: calling handler <function add_expect_header at 0x7f29f743f0d0>
2023-11-03 15:56:53,743 - MainThread - botocore.handlers - DEBUG - Adding expect 100 continue header to request.
2023-11-03 15:56:53,743 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.PutObject: calling handler <bound method S3RegionRedirector.set_request_url of <botocore.utils.S3RegionRedirector object at 0x7f29f51fca20>>
2023-11-03 15:56:53,743 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.PutObject: calling handler <function add_recursion_detection_header at 0x7f29f743b840>
2023-11-03 15:56:53,743 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.PutObject: calling handler <function inject_api_version_header_if_needed at 0x7f29f7443378>
2023-11-03 15:56:53,743 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=PutObject) with params: {'url_path': '/<bucket-name>/test_s3api_file', 'query_string': {}, 'method': 'PUT', 'headers': {'User-Agent': 'aws-cli/1.24.10 Python/3.6.8 Linux/4.18.0-477.27.1.el8_8.x86_64 botocore/1.26.10', 'Content-MD5': 'uJPS0xNxGJTLXgub9k1gaQ==', 'Expect': '100-continue'}, 'body': <_io.BufferedReader name='/root/ssacli-all-config.log'>, 'url': 'https://<endpoint-url>/<bucket-name>/test_s3api_file', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x7f29f51fc668>, 'has_streaming_input': True, 'auth_type': None, 'signing': {'bucket': '<bucket-name>'}}}
2023-11-03 15:56:53,744 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.PutObject: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7f29f51fc630>>
2023-11-03 15:56:53,744 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.PutObject: calling handler <bound method S3EndpointSetter.set_signer of <botocore.utils.S3EndpointSetter object at 0x7f29f51df160>>
2023-11-03 15:56:53,744 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.PutObject: calling handler <bound method ClientCreator._default_s3_presign_to_sigv2 of <botocore.client.ClientCreator object at 0x7f29f52479e8>>
2023-11-03 15:56:53,744 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.PutObject: calling handler <function set_operation_specific_signer at 0x7f29f743ba60>
2023-11-03 15:56:53,744 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.PutObject: calling handler <bound method S3EndpointSetter.set_endpoint of <botocore.utils.S3EndpointSetter object at 0x7f29f51df160>>
2023-11-03 15:56:53,744 - MainThread - botocore.utils - DEBUG - Using S3 path style addressing.
2023-11-03 15:56:53,745 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2023-11-03 15:56:53,745 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
PUT
/<bucket-name>/test_s3api_file

content-md5:uJPS0xNxGJTLXgub9k1gaQ==
host:<endpoint-url>
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:20231103T145653Z

content-md5;host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD
2023-11-03 15:56:53,745 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20231103T145653Z
20231103/us-east-1/s3/aws4_request
5ff3578f0ece57b5322ad6bc6334e45db5a82d778b4308935d2029f8b4c57201
2023-11-03 15:56:53,745 - MainThread - botocore.auth - DEBUG - Signature:
03de04107738d24196e8d9797ccdc2edaa19b02f6a5fab55055313549cc15a93
2023-11-03 15:56:53,745 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.PutObject: calling handler <function add_retry_headers at 0x7f29f74439d8>
2023-11-03 15:56:53,745 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=PUT, url=https://<endpoint-url>/<bucket-name>/test_s3api_file, headers={'User-Agent': b'aws-cli/1.24.10 Python/3.6.8 Linux/4.18.0-477.27.1.el8_8.x86_64 botocore/1.26.10', 'Content-MD5': b'uJPS0xNxGJTLXgub9k1gaQ==', 'Expect': b'100-continue', 'X-Amz-Date': b'20231103T145653Z', 'X-Amz-Content-SHA256': b'UNSIGNED-PAYLOAD', 'Authorization': b'AWS4-HMAC-SHA256 Credential=JCCCFMFJCEZ2UE8VYWOI/20231103/us-east-1/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date, Signature=03de04107738d24196e8d9797ccdc2edaa19b02f6a5fab55055313549cc15a93', 'amz-sdk-invocation-id': b'58bd96a5-a1dd-4f01-97de-0540857f11e7', 'amz-sdk-request': b'attempt=1', 'Content-Length': '7501'}>
2023-11-03 15:56:53,747 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): <endpoint-url>:443
/srv/scality/s3/s3-offline-7.10.8.0/venv/lib/python3.6/site-packages/urllib3/connectionpool.py:1063: InsecureRequestWarning: Unverified HTTPS request is being made to host '<endpoint-url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
2023-11-03 15:56:53,752 - MainThread - botocore.awsrequest - DEBUG - Waiting for 100 Continue response.
2023-11-03 15:56:53,753 - MainThread - botocore.awsrequest - DEBUG - 100 Continue response seen, now sending request body.
2023-11-03 15:56:53,795 - MainThread - urllib3.connectionpool - DEBUG - https://<endpoint-url>:443 "PUT /<bucket-name>/test_s3api_file HTTP/1.1" 200 None
2023-11-03 15:56:53,796 - MainThread - botocore.parsers - DEBUG - Response headers: {'Server': 'openresty', 'Date': 'Fri, 03 Nov 2023 14:56:53 GMT', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'ETag': '"b893d2d313711894cb5e0b9bf64d6069"', 'x-amz-version-id': '3938333030393736353836323132393939393939524730303120203931322e31393531322e3231', 'x-amz-id-2': '79c5c5700345b2025d57', 'x-amz-request-id': '79c5c5700345b2025d57', 'Strict-Transport-Security': 'max-age=31536000; includeSubdomains ; preload'}
2023-11-03 15:56:53,796 - MainThread - botocore.parsers - DEBUG - Response body:
b''
2023-11-03 15:56:53,796 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.PutObject: calling handler <botocore.retryhandler.RetryHandler object at 0x7f29f51fc9b0>
2023-11-03 15:56:53,797 - MainThread - botocore.retryhandler - DEBUG - No retry needed.
2023-11-03 15:56:53,797 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.PutObject: calling handler <bound method S3RegionRedirector.redirect_from_error of <botocore.utils.S3RegionRedirector object at 0x7f29f51fca20>>
2023-11-03 15:56:53,797 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.PutObject: calling handler <function enhance_error_msg at 0x7f29f5986950>
2023-11-03 15:56:53,797 - MainThread - awscli.formatter - DEBUG - RequestId: 79c5c5700345b2025d57
{
    "ETag": "\"b893d2d313711894cb5e0b9bf64d6069\"",
    "VersionId": "3938333030393736353836323132393939393939524730303120203931322e31393531322e3231"
}

So I miss a "s3:Put<something>" with RClone that is not needed with aws command, that's weired

asdffdsa · November 3, 2023, 3:59pm

maybe, i figured it out.

i compared your debug log against my debug log.
X-Amz-Acl: private is in your dump but not my dump.

i have never used ACL, only principal
fwiw, ACL is not recommend by AWS and i believe disabled by default.

so i would try "s3:PutObject", "s3:PutBucketAcl"

CarlP · November 3, 2023, 4:30pm

Wow ! Nice shot ! Indeed, I removed the "acl = private" from my rclone.conf, and it works now !
I'll ask Scality if this is mandatory or not, but I don't think so. I don't really know why this was set, but it might come from an old config template.
Thanks a lot for your time on this issue. Very appreciated !

system · November 6, 2023, 4:31pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.