You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello. This is a feature request, one I feel is important for AWS S3 users.
Currently, when opening a database stored on S3 with KeeAnywhere, the "ListAllMyBuckets" permission is required. This is a global permission in AWS that allows the IAM user to see all of the bucket names in the account, potentially hundreds depending on the specific account. Security policy can be written in AWS to deny access to the contents of those other buckets (to protect in case the IAM user is compromised), but even knowing the bucket names can be undesirable for infrastructure administrators.
I assume KeeAnywhere ONLY needs that permission when setting up Account to show the bucket names to the user so they can select which bucket they'd like to open. From there, they are required to select a pre-existing database file inside a specific bucket. So, "ListAllMyBuckets" is there simply to give the user bucket name options and forces them to choose one. It's a UI convenience, not materially necessary to the core purpose of the plugin.
For users such as myself, and others that take IAM least-privilege seriously, I'd prefer to tell KeeAnywhere the bucket name we want to use (by typing it in) and thus remove the "ListAllMyBuckets" permission from the IAM user. This could be achieved very simply by adding a text field to the S3 setup popup (where Access Key, Secret Key, and Region are selected) labeled "Bucket Name" and making it optional. If the user enters a bucket name into that field, KeeAnywhere should attempt to connect to that specific bucket for any open/save operation, and NOT call for the list of all bucket names. If the user leaves that field blank, then KeeAnywhere should behave as it currently does.
This would allow "advanced" users to specify the bucket exactly and skip ever granting "ListAllMyBuckets" while allowing users who don't care to simply grant the permission and have a very slightly faster UI experience during setup.
A workaround exists for this problem. The IAM user can first be set up with the "ListAllMyBuckets" permission, and then the appropriate database on S3 can be opened/saved. Then, the "ListAllMyBuckets" permission can be removed from the IAM user and KeeAnywhere will still function properly for any databases already on the recent list (i.e. opening directly without prompting the list of buckets through the Open -> Open from Cloud Drive option). This is very cumbersome when new databases need to be created frequently, though.
The text was updated successfully, but these errors were encountered:
Hello. This is a feature request, one I feel is important for AWS S3 users.
Currently, when opening a database stored on S3 with KeeAnywhere, the "ListAllMyBuckets" permission is required. This is a global permission in AWS that allows the IAM user to see all of the bucket names in the account, potentially hundreds depending on the specific account. Security policy can be written in AWS to deny access to the contents of those other buckets (to protect in case the IAM user is compromised), but even knowing the bucket names can be undesirable for infrastructure administrators.
I assume KeeAnywhere ONLY needs that permission when setting up Account to show the bucket names to the user so they can select which bucket they'd like to open. From there, they are required to select a pre-existing database file inside a specific bucket. So, "ListAllMyBuckets" is there simply to give the user bucket name options and forces them to choose one. It's a UI convenience, not materially necessary to the core purpose of the plugin.
For users such as myself, and others that take IAM least-privilege seriously, I'd prefer to tell KeeAnywhere the bucket name we want to use (by typing it in) and thus remove the "ListAllMyBuckets" permission from the IAM user. This could be achieved very simply by adding a text field to the S3 setup popup (where Access Key, Secret Key, and Region are selected) labeled "Bucket Name" and making it optional. If the user enters a bucket name into that field, KeeAnywhere should attempt to connect to that specific bucket for any open/save operation, and NOT call for the list of all bucket names. If the user leaves that field blank, then KeeAnywhere should behave as it currently does.
This would allow "advanced" users to specify the bucket exactly and skip ever granting "ListAllMyBuckets" while allowing users who don't care to simply grant the permission and have a very slightly faster UI experience during setup.
A workaround exists for this problem. The IAM user can first be set up with the "ListAllMyBuckets" permission, and then the appropriate database on S3 can be opened/saved. Then, the "ListAllMyBuckets" permission can be removed from the IAM user and KeeAnywhere will still function properly for any databases already on the recent list (i.e. opening directly without prompting the list of buckets through the Open -> Open from Cloud Drive option). This is very cumbersome when new databases need to be created frequently, though.
The text was updated successfully, but these errors were encountered: