Context
I want to have a machine upload a file dump.rdb to s3/blahblahblah/YEAR-MONTH-DAY-HOUR.rdb on the hour.
Thus, I need this machine to have the ability to upload new files to S3.
However, I don't want this machine to have the ability to (1) delete existing files or (2) overwrite existing files.
In a certain sense, it can only "append" -- it can only add in new objects.
Question:
Is there a way to configure an S3 setup like this?
Thanks!
I cannot comment yet, so here is a refinement to #Viccari 's answer...
The answer is misleading because it only addresses #1 in your requirements, not #2. In fact, it appears that it is not possible to prevent overwriting existing files, using either method, although you can enable versioning. See here: Amazon S3 ACL for read-only and write-once access.
Because you add a timestamp to your file names, you have more or less worked around the problem. (Same would be true of other schemes to encode the "version" of each file in the file name: timestamps, UUIDs, hashes.) However, note that you are not truly protected. A bug in your code, or two uploads in the same hour, would result in an overwritten file.
Yes, it is possible.
There are two ways to add permissions to a bucket and its contents: Bucket policies and Bucket ACLs. You can achieve what you want by using bucket policies. On the other hand, Bucket ACLs do not allow you to give "create" permission without giving "delete" permission as well.
1-Bucket Policies:
You can create a bucket policy (see some common examples here), allowing, for example, an specific IP address to have specific permissions.
For example, you can allow: s3:PutObject and not allow s3:DeleteObject.
More on S3 actions in bucket policies can be found here.
2-Bucket ACLs:
Using Bucket ACLs, you can only give the complete "write" permission, i.e. if a given user is able to add a file, he is also able to delete files.
This is NOT possible! S3 is a key/value store and thus inherently doesn't support append only. The PUT/cp command to S3 can always overwrite a file. By enabling versioning on your bucket you are still safe in cause the account uploading the files gets compromised.
Related
From my Terraform script, I am trying to get hold of data for existing resources such as the ARN of an existing DynamoDB table and the bucket Id for an exiting S3 bucket. I've tried to use terraform_remote_state for S3, however it doesn't fit my requirements as it requires a key and I haven't found anything yet that would work for Dynamo.
Is there a solution the would work for both or would there be two separate solutions?
Many thanks in advance.
Remote state is not the concept you need - that's for storage of the tfstate file. What you require is a "data source":
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/dynamodb_table
In Terraform, you use "Resources" to declare what things need to be created (if they don't exist), and "Data Sources" to read information from things that already exist and are not managed by Terraform.
I can set 'Cache-Control'(meta data) of a particular file and a particular bucket in amazon S3.
But I want that Cache-Control to be set for every file in a particular folder(not the entire bucket, but only folder).
Also when I upload a new file in that particular folder, Cache-Control header gets automatically set for the new file.
I have followed this and S3 Documentation.
Is there any way by which this can be achieved?
Based on another question's answer here I found that with this tool we can run a recursive for all files in a particular folder, but this won't be applied for the new files.
steps:
git clone https://github.com/s3tools/s3cmd
Run s3cmd --configure
(You will be asked for the two keys - copy and paste them from your confirmation email or from your Amazon account page. Be careful when copying them! They are case sensitive and must be entered accurately or you'll keep getting errors about invalid signatures or similar. Remember to add s3:ListAllMyBuckets permissions to the keys or you will get an AccessDenied error while testing access.)
./s3cmd --recursive modify --add-header="Cache-Control:public ,max-age= 31536000" s3://your_bucket_name/
#FreeFly
It seems like with the new updates to the S3 console UI, there is now an option to add metadata on a directory, and doing so will recursively apply metadata to each object within that directory.
Go to
Your Bucket
Check object (can be a directory)
Click on Select and from the dropdown menu select Edit metadata
then select Add metadata and enter metadata
Click on Edit Metadata.
and this should recursively apply metadata to all objects inside current directory.
I was wondering if there was a way to exclude specific files from S3 Cross-Region Replication. I am aware of the prefix option, but I have a cache folder within my bucket that I don't want to include.
Example:
I want to include the following:
images/production/image1/file.jpg
But I don't want to include this:
images/production/image1/cache/file.jpg
Seems you need to play with objects/bucket rights in order to exclude certain objects from replication:
Amazon S3 will replicate only objects in the source bucket for which
the bucket owner has permission to read objects and read ACLs
and
Amazon S3 will not replicate objects in the source bucket for which
the bucket owner does not have permissions
Maybe will be easier to move cache data in a separate bucket.
I know it's an old post but I thought it might be worth updating it with an answer that does not require meddling with the permissions.
According to Amazon's own documentation (https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-how-setup.html) you can choose the objects (using a prefix in the object name or filtering by tags) that will be replicated in the Replication Configuration for the bucket:
The objects that you want to replicate—You can replicate all of the objects in >the source bucket or a subset. You identify subset by providing a key name >prefix, one or more object tags, or both in the configuration. For example, if >you configure cross-region replication to replicate only objects with the key >name prefix Tax/, Amazon S3 replicates objects with keys such as Tax/doc1 or >Tax/doc2, but not an object with the key Legal/doc3. If you specify both prefix >and one or more tags, Amazon S3 replicates only objects having specific key >prefix and the tags.
For instance, to use a prefix, set the following rule in your CRR configuration (https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-add-config.html):
<Rule>
...
<Filter>
<Prefix>key-prefix</Prefix>
</Filter>
I'm trying to delete a folder created as a result of a MapReduce job. Other files in the bucket delete just fine, but this folder won't delete. When I try to delete it from the console, the progress bar next to its status just stays at 0. Have made multiple attempts, including with logout/login in between.
I had the same issue and used AWS CLI to fix it:
aws s3 rm s3://<your-bucket>/<your-folder-to-delete>/ --recursive ;
(this assumes you have run aws configure and aws s3 ls s3://<your-bucket>/ already works)
First and foremost, Amazon S3 doesn't actually have a native concept of folders/directories, rather is a flat storage architecture comprised of buckets and objects/keys only - the directory style presentation seen in most tools for S3 (including the AWS Management Console itself) is based solely on convention, i.e. simulating a hierarchy for objects with identical prefixes - see my answer to How to specify an object expiration prefix that doesn't match the directory? for more details on this architecture, including quotes/references from the AWS documentation.
Accordingly, your problem might stem from a tool using a different convention for simulating this hierarchy, see for example the following answers in the AWS forums:
Ivan Moiseev's answer to the related question Cannot delete file from bucket, where he suggests to use another tool to inspect whether you might have such a problem and remedy it accordingly.
The AWS team response to What are these _$folder$ objects? - This is a convention used by a number of tools including Hadoop to make directories in S3. They're primarily needed to designate empty directories. One might have preferred a more aesthetic scheme, but well that is the way that these tools do it.
Good luck!
I was getting the following error when I tried to delete a bucket which was a directory that held log files from Cloudfront.
An unexpected error has occurred. Please try again later.
After I disabled logging in Cloudfront I was able to delete the folder successfully.
My guess is that it was a system folder used by Cloudfront that did not allow deletion by the owner.
In your case, you may want to check if MapReduce is holding on to the folder in question.
I was facing the same problem. Tried many login, logout attempts and refresh but problem persist. Searched stackoverflow and found suggestions to cut and paste folder in different folder then delete but didn't worked.
Another thing you should look is for versioning that might effect your bucket may be suspending the versioning allow you to delete the folder.
My solution was to delete it with code. I have used boto package in python for file handling over s3 and the deletion worked when I tried to delete that folder from my python code.
import boto
from boto.s3.key import Key
keyId = "your_aws_access_key"
sKeyId = "your_aws_secret_key"
fileKey="dummy/foldertodelete/" #Name of the file to be deleted
bucketName="mybucket001" #Name of the bucket, where the file resides
conn = boto.connect_s3(keyId,sKeyId) #Connect to S3
bucket = conn.get_bucket(bucketName) #Get the bucket object
k = Key(bucket,fileKey) #Get the key of the given object
k.delete() #Delete
S3 doesn't keep directory it just have a flat file structure so everything is managed with key.
For you its a folder but for S3 it just an key.
If you want to delete a folder named -> dummy
then key would be
fileKey = "/dummy/"
Firstly, read the content of directory from getBucket method, then you got a array list of all files, then delete the file from deleteObject method.
if (($contents = $this->S3->getBucket(AS_S3_BUCKET, "file_path")) !== false)
{
foreach ($contents as $file)
{
$result = $this->S3->deleteObject(AS_S3_BUCKET,$file['name']);
}
}
$this->S3 is S3 class object, and AS_S3_BUCKET is bucket name.
If someone goes to the url of my bucket, they are able to see every single file listed.
Although I want the files in my bucket to be able to be seen by the public, I'd prefer not to have this list view available. Is there a way to prevent "directory listings" like this?
you should remove read access for "All Users" built-in group from the bucket's ACL. You can do that using the tool like CloudBerry Explorer freeware
Make sure you keep read access on the files you want to serve from S3.
Thanks
Andy