Missing s3:GetObjectAttributes Permission in S3 Bucket Share Policies #1913
Description
Describe the bug
📋 Description
When S3 bucket shares are created and verified in data.all, the IAM policies and S3 bucket policies are missing the s3:GetObjectAttributes permission. This permission is required for modern S3 client operations and should be included alongside s3:GetObject in read-only permissions.
💥 Why This Permission is Needed
The s3:GetObjectAttributes permission is required for:
Modern AWS SDK operations that retrieve object metadata
S3 Select queries
Object integrity checks (ETag, checksums)
Compliance with AWS best practices for read-only access
Without this permission, consumers may encounter AccessDenied errors when using certain S3 API operations on shared objects.
📦 Impact
Affected Components
- S3 Bucket shares (both full bucket and storage locations)
- IAM managed policies for requestor principals
- S3 bucket policies with dataall-readonly-statement SID
- Share verification checks
Affected Users
- Data consumers who access shared S3 buckets
- Applications using modern AWS SDKs with S3 operations
🔧 Proposed Solution
-
Update Permission Definitions
File: backend/dataall/modules/s3_datasets_shares/services/share_managers/s3_utils.py
SID_TO_ACTIONS = { DATAALL_READ_ONLY_SID: ['s3:List*', 's3:GetObject', 's3:GetObjectAttributes'], # Added DATAALL_WRITE_ONLY_SID: ['s3:PutObject'], DATAALL_MODIFY_ONLY_SID: ['s3:DeleteObject'], # ... other SIDs}
File: backend/dataall/modules/s3_datasets_shares/services/s3_share_managed_policy_service.py
S3_ALLOWED_ACTIONS = ['s3:List*', 's3:Describe*', 's3:GetObject', 's3:GetObjectAttributes'] # Added -
Share Verification
The share verification logic should validate that s3:GetObjectAttributes is present in:
IAM policy statements
S3 bucket policy statements
🔄 Migration for Existing Shares
For deployments with existing shares:
Option 1: Reapply Existing Shares (Recommended)
Use the built-in share reapply functionality
This updates policies using the standard share workflow
Option 2: Share Health Verification
Run share health verification task
Shares will be marked unhealthy until reapplied
How to Reproduce
🔍 Current Behavior
Currently, the read-only permissions for S3 bucket shares include:
✅ s3:List*
✅ s3:GetObject
The s3:GetObjectAttributes permission is missing from both:
❌ IAM managed policies attached to requestor principals
❌ S3 bucket policies for shared buckets
✨ Expected Behavior
Read-only permissions for S3 bucket shares should include:
✅ s3:List*
✅ s3:GetObject
✅ s3:GetObjectAttributes ← Should be added
Expected behavior
No response
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.12
AWS data.all version
2.8
Additional context
No response