marekt
Intern
Intern
  • UID5816
  • Fans0
  • Follows0
  • Posts5
Reads:173Replies:8

Use STS to access OSS - OSS Access Key Id you provided does not exist in our records

Created#
More Posted time:Jul 6, 2018 17:29 PM
Hi,
I'm trying to use STS to access OSS as described here. My scenario is following:
1) Client react app calls FC Compute Function via API Gateway and submit some information
2) Function validate the information and if it is ok then function calls sts.assumeRole and specify permission to GET* for all resources in OSS using AccessKeyId and AccessKeySecret of sub-account
3) The new STS temporary token is created and it is returned to client
4) Client initialize OSS client with returned AccessKeyId, AccessKeySecret and SecurityToken
5) Client try to download selected file
6) This error is thrown:
Error: The OSS Access Key Id you provided does not exist in our records.
    at Client.requestError$ (aliyun-oss-sdk.js:619)
    at tryCatch (aliyun-oss-sdk.js:15266)
    at Generator.invoke [as _invoke] (aliyun-oss-sdk.js:15500)
    at Generator.prototype.(anonymous function) [as next] (http://localhost:3000/static/js/bundle.js:126516:21)
    at onFulfilled (aliyun-oss-sdk.js:6100)

Is there something I'm doing wrong or there could be some problem on OSS?

Thanks for any help,
Marek

JohnHanley
Assistant Engineer
Assistant Engineer
  • UID5606
  • Fans1
  • Follows1
  • Posts52
1st Reply#
Posted time:Jul 7, 2018 0:08 AM
Just like Stack Overflow, post your code is you need help with a software development issue.

Include the policy that you are assuming.

The key message is: The OSS Access Key Id you provided does not exist in our records.

Check your code to make sure that you are passing the correct values received from STS to OSS unchanged. The security token is a very long string (base64 encoded credentials).

Two tips that I do on problems like this. I check to make sure that my code works on public read files. Often I find silly mistakes with region handling, etc. Another test is to use normal credentials in-place of STS credentials to check my code. Once those two tests work and all error handling is in place, I then only have to debug the STS logic.

marekt
Intern
Intern
  • UID5816
  • Fans0
  • Follows0
  • Posts5
2nd Reply#
Posted time:Jul 9, 2018 13:58 PM
Hi,
Firstly thank you for your answer. I've tried your recommendations before I posted my question and I could download file with AccessKeyId and SecretAccessKey defined in RAM console. Anyway Since last time I run the same code today and I got different error:

"You have no right to access this object because of bucket acl."

So I'm not sure what has change because my code didn't. But it doesn't matter. So I have new problem now.
Using AccessKeyId and SecretAccesKey with custom policy defined in RAM console is working.
Custom policy:

{
  "Statement": [
    {
      "Action": [
        "oss:Get*",
        "oss:List*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:oss:*:*:bucket-20180709/*"
      ]
    }
  ],
  "Version": "1"
}

FunctionCompute code:

var OSSClient = require('ali-oss').Wrapper;

module.exports.handler = function(event, context, callback) {
  let ramAccessKeyId = 'AccessKeyId';
  let ramSecretAccessKey = 'SecretAccessKey';
  var ossClient = new OSSClient({
    accessKeyId: ramAccessKeyId,
    accessKeySecret: ramSecretAccessKey,
    region: 'oss-ap-southeast-1',
    bucket: 'bucket-20180709'
  });
  ossClient.get('filename')
    .then(fileRes => {
      callback(null, fileRes);
    })
    .catch(err => {
      callback(err);
    })
};

This Function is working and return correct results.


But my Function using STS still doesn't work and returns the error mentioned above "You have no right to access this object because of bucket acl."
The code of my Function is:


var ALY = require("aliyun-sdk");
var OSSClient = require('ali-oss').Wrapper;
module.exports.handler = function(event, context, callback) {
  let ramAccessKeyId = 'AccessKeyId';
  let ramSecretAccessKey = 'SecretAccessKey';
  var sts = new ALY.STS({
      accessKeyId: ramAccessKeyId,
      secretAccessKey: ramSecretAccessKey,
      endpoint: 'https://sts.aliyuncs.com',
      apiVersion: '2015-04-01'
  });
  let stsParams = {
      Action: 'AssumeRole',
      // Specify the role Arn
      RoleArn: 'acs:ram::5158124120825140:role/soar-demo-test-oss-role',
      //Set an additional policy for the Token so as to further limit the Token permission when obtaining the token.
      Policy: '{"Version":"1","Statement":[{"Action":["oss:Get*","oss:List*"], "Effect":"Allow", "Resource":["acs:oss:*:*:bucket-20180709/*"]}]}',
      DurationSeconds: 3600,
      RoleSessionName: 'sts-role-name-test'
  };
  sts.assumeRole(stsParams, function (err, res) {
      if (err) {
          callback(err);
      } else {
        console.log('STS details');
        console.log(JSON.stringify({res}));
        var ossClient = new OSSClient({
          accessKeyId: res.Credentials.AccessKeyId,
          accessKeySecret: res.Credentials.AccessKeySecret,
          stsToken: res.Credentials.SecurityToken,
          region: 'oss-ap-southeast-1',
          bucket: 'bucket-20180709'
        });
        ossClient.get('filename')
          .then(fileRes => {
            callback(null, fileRes);
          })
          .catch(err => {
            callback(err);
          })
      }
  });
};

This Function doesn't work as intended and returns following error:

{
   "errorMessage": "You have no right to access this object because of bucket acl.",
   "errorType": "AccessDeniedError",
   "stackTrace": []
}

Unfortunately I can't see the reason why it doesn't work. Could you please have a look.

Thanks,
Marek



JohnHanley
Assistant Engineer
Assistant Engineer
  • UID5606
  • Fans1
  • Follows1
  • Posts52
3rd Reply#
Posted time:Jul 10, 2018 0:25 AM
Marek,

I will look at your source code later.

The first thing that I noticed is that your policy is too restrictive and does not provide enough permissions. Try this policy.

{
    "Version": "1",
    "Statement": [
    {
        "Effect": "Allow",
        "Action": "oss:ListBuckets",
        "Resource": "acs:oss:*:*:*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "oss:ListObjects",
            "oss:GetBucketAcl"
        ],
        "Resource": "acs:oss:*:*:bucket-20180709"
    },
    {
        "Effect": "Allow",
        "Action": [
            "oss:GetObject",
            "oss:GetObjectAcl"
        ],
        "Resource": "acs:oss:*:*:bucket-20180709/*"
    }
  ]
}

marekt
Intern
Intern
  • UID5816
  • Fans0
  • Follows0
  • Posts5
4Floor#
Posted time:Jul 10, 2018 12:36 PM
Hi,
Thanks for the tip. I've tried to extend the permission for the assumed role and even for the sub-account but nothing has worked.

JohnHanley
Assistant Engineer
Assistant Engineer
  • UID5606
  • Fans1
  • Follows1
  • Posts52
5Floor#
Posted time:Jul 10, 2018 14:52 PM
I am not sure what you mean. This is the policy that you use with STS AssumeRole. You do NOT need to limit the policy with another policy when you call AssumeRole.

JohnHanley
Assistant Engineer
Assistant Engineer
  • UID5606
  • Fans1
  • Follows1
  • Posts52
6Floor#
Posted time:Jul 10, 2018 14:55 PM
To improve my answer: My policy is used in RAM under your policy name soar-demo-test-oss-role. Remove the extra policy stuff below when you call AssumeRole:

/Set an additional policy for the Token so as to further limit the Token permission when obtaining the token.
      Policy: '{"Version":"1","Statement":[{"Action":["oss:Get*","oss:List*"], "Effect":"Allow", "Resource":["acs:oss:*:*:bucket-20180709/*"]

marekt
Intern
Intern
  • UID5816
  • Fans0
  • Follows0
  • Posts5
7Floor#
Posted time:Jul 10, 2018 18:49 PM
I don't why but I though the aditional policy in assumeRole request allows me to extend permission instead of restrict them more.
Everything is good now. Really apriciate your quick responses.
Thanks,
Marek

JohnHanley
Assistant Engineer
Assistant Engineer
  • UID5606
  • Fans1
  • Follows1
  • Posts52
8Floor#
Posted time:Jul 11, 2018 0:26 AM
Marek,

You are welcome. Can you repost your final code so that everyone can benefit?
Guest