cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[Bug] SAP Hana S3 requires unnecessary S3 permissions, and does not work under "least privilege"

ronsijm
Member

on ‎2023 Aug 30 1:53 PM

0 Kudos
245

Hey there,

So here is the use-case: we have many customers that want to export data to us, some of them using SAP, or other SAP products (SAP-SuccessFactors). To allow this, we create 1 s3 bucket, and inside that bucket, folders for all our customers. For example, lets say the bucket is called "incoming-data" - then there would be a folder for those customers "incoming-data\Contoso". Where Contoso is the fictional company I'll use for this example

This approach works for most systems, however, SAP seems to require s3:ListBucket on the root of the bucket.

So as IAM permission:

"Effect": "Allow",<br>"Action": "s3:ListBucket",<br>"Resource": "arn:aws:s3:::incoming-data",

This is of course problematic because the client would be able to list all objects, including files that other customers have uploaded.

Normally we create an IAM permission as such:

"Effect": "Allow",<br>"Action": [<br>    "s3:PutObject",<br>    "s3:GetObjectAcl",<br>    "s3:GetObject",<br>    "s3:ListBucket",<br>    "s3:PutObjectAcl"<br>],<br>"Resource": "arn:aws:s3:::incoming-data/Contoso/*"

However, without the root permission, when executing something like this:

EXPORT INTO 's3-eu-central-1://APIKey:SecretKey@incoming-data/Contoso/TestFile' FROM DBADMIN.PRODUCTS ;

Will result in the error:

Export failed. Reason: SQL Error: general error: REST API: requestType=S3_ListObjectsV2, statusCode=403, msg=[AccessDenied, Access Denied]

An alternative way to formulate the IAM permission is like this:

	"Effect": "Allow",<br>	"Action": "s3:ListBucket",<br>	"Resource": "arn:aws:s3:::incoming-data",<br>	"Condition": {<br>		"StringLike": {<br>			"s3:prefix": "Contoso"<br>		}<br>	}

Using that permission, using the CLI you can successfully execute the command:

aws s3api list-objects --bucket incoming-data --prefix Contoso

Using that command, you can successfully list all the files in the incoming-data bucket, in the Contoso folder.

However, when using this "least privilege" approach, SAP is still throwing an error, and just wants to unnecessarily list-objects in the root of the bucket.

- So what seems to be the problem: SAP is not listing folders using the --prefix flag.

- Proposed solution: When a command is executed such as EXPORT INTO 's3-eu-central-1://APIKey:SecretKey@incoming-data/Contoso/TestFile' - you can see there is a sub-folder in that command. (/Contoso/). That prefix should be used as a prefix to list objects from AWS

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (0)

Ask a Question