Skip to content
This repository has been archived by the owner on Jun 20, 2023. It is now read-only.

ClientError: An error occurred (403) when calling the HeadObject operation #144

Open
anuj9196 opened this issue Oct 27, 2020 · 0 comments
Open

ClientError: An error occurred (403) when calling the HeadObject operation #144

anuj9196 opened this issue Oct 27, 2020 · 0 comments

Comments

@anuj9196
Copy link

anuj9196 commented Oct 27, 2020
edited
Loading

The scanning lambda function is giving error

Attempting to create directory /tmp/my-media/media/uploads/73737/2020/10
[ERROR] ClientError: An error occurred (403) when calling the HeadObject operation: ForbiddenTraceback (most recent call last): 
File "/var/task/scan.py", line 224, in lambda_handler    
    s3_object.download_file(file_path) 
File "/var/runtime/boto3/s3/inject.py", line 314, in object_download_file
    ExtraArgs=ExtraArgs, Callback=Callback, Config=Config)  
File "/var/runtime/boto3/s3/inject.py", line 172, in download_file
    extra_args=ExtraArgs, callback=Callback)  
File "/var/runtime/boto3/s3/transfer.py", line 307, in download_file
    future.result()  File "/var/runtime/s3transfer/futures.py", line 106, in result
    return self._coordinator.result()  
File "/var/runtime/s3transfer/futures.py", line 265, in result
    raise self._exception  
File "/var/runtime/s3transfer/tasks.py", line 255, in _main
    self._submit(transfer_future=transfer_future, **kwargs)  
File "/var/runtime/s3transfer/download.py", line 343, in _submit
    **transfer_future.meta.call_args.extra_args  
File "/var/runtime/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)  
File "/var/runtime/botocore/client.py", line 635, in _make_api_call
    raise error_class(parsed_response, operation_name)
-- | --

After investing further, the issue is with getting object while sending SNS after it has been tagged as INFECTED

def sns_scan_results(...):
 message = {
        "bucket": s3_object.bucket_name,
        "key": s3_object.key,
        "version": s3_object.version_id,                  # <--- here
        AV_SIGNATURE_METADATA: scan_signature,
        AV_STATUS_METADATA: scan_result,
        AV_TIMESTAMP_METADATA: get_timestamp(),
    }

As per the doc https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html GetObject permission is required to get the headers of the object.

But having this policy on the S3 bucket is restricted to get the headers

{
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::qcg-media/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/av-status": "INFECTED"
                }
            }
        },
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anuj9196