Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove "ListAllMyBuckets" permission requirement for S3 #248

Open
lcdennison opened this issue Feb 5, 2021 · 1 comment
Open

Remove "ListAllMyBuckets" permission requirement for S3 #248

lcdennison opened this issue Feb 5, 2021 · 1 comment

Comments

@lcdennison
Copy link

Hello. This is a feature request, one I feel is important for AWS S3 users.

Currently, when opening a database stored on S3 with KeeAnywhere, the "ListAllMyBuckets" permission is required. This is a global permission in AWS that allows the IAM user to see all of the bucket names in the account, potentially hundreds depending on the specific account. Security policy can be written in AWS to deny access to the contents of those other buckets (to protect in case the IAM user is compromised), but even knowing the bucket names can be undesirable for infrastructure administrators.

I assume KeeAnywhere ONLY needs that permission when setting up Account to show the bucket names to the user so they can select which bucket they'd like to open. From there, they are required to select a pre-existing database file inside a specific bucket. So, "ListAllMyBuckets" is there simply to give the user bucket name options and forces them to choose one. It's a UI convenience, not materially necessary to the core purpose of the plugin.

For users such as myself, and others that take IAM least-privilege seriously, I'd prefer to tell KeeAnywhere the bucket name we want to use (by typing it in) and thus remove the "ListAllMyBuckets" permission from the IAM user. This could be achieved very simply by adding a text field to the S3 setup popup (where Access Key, Secret Key, and Region are selected) labeled "Bucket Name" and making it optional. If the user enters a bucket name into that field, KeeAnywhere should attempt to connect to that specific bucket for any open/save operation, and NOT call for the list of all bucket names. If the user leaves that field blank, then KeeAnywhere should behave as it currently does.

This would allow "advanced" users to specify the bucket exactly and skip ever granting "ListAllMyBuckets" while allowing users who don't care to simply grant the permission and have a very slightly faster UI experience during setup.

A workaround exists for this problem. The IAM user can first be set up with the "ListAllMyBuckets" permission, and then the appropriate database on S3 can be opened/saved. Then, the "ListAllMyBuckets" permission can be removed from the IAM user and KeeAnywhere will still function properly for any databases already on the recent list (i.e. opening directly without prompting the list of buckets through the Open -> Open from Cloud Drive option). This is very cumbersome when new databases need to be created frequently, though.

@Kyrodan
Copy link
Owner

Kyrodan commented Feb 5, 2021

Thank your for this ticket, this completely makes sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants