Support uploads when ACL is disabled on an AWS S3 bucket
Problem
Not everyone uses buckets with ACL on S3, instead some use S3 Object Ownership which is relatively newer and relies on the IAM policies of the AWS account tor access control. The registry on the other hand appears to explicitly use the ACL option when uploading Objects (reference) even when not explicitly indicated by the user.
Because of this we might run into the issue where the registry is not able to perform uploads/downloads from the s3 bucket because it is explicitly specifying to S3 to use specific ACLs when S3 may not be configured to use ACL at all, Causing the registry to fail like so:
2023-02-06_19:30:45.91675 time="2023-02-06T14:30:45.916-05:00" level=error msg="unknown error" auth_user_name=[USERNAME] auth_user_type=personal_access_token code=UNKNOWN correlation_id=[REDACTED] detail="s3aws: AccessControlListNotSupported: The bucket does not allow ACLs\n\tstatus code: 400, request id: [REDACTED], host id: [REDACTED]" error="unknown: unknown error" go_version=go1.18.7 root_repo=[REDACTED] vars_name=[REDACTED] version=v3.63.0-gitlab
with focus on:
detail="s3aws: AccessControlListNotSupported: The bucket does not allow ACLs\n\tstatus code: 400
This needs to be investigated first to confirm and then fixed (if needed)
The current workaround would be to enable ACL for the S3 buckets.
Environment Setup that triggers this issue:
from Slack:
GitLab is on an EC2 instance with an IAM role granting
S3FullAccess
and as well, they don’t have theaws_access_key_id
andaws_secret_access_key
in theirgitlab.rb
.aws s3 ls
successfully lists the cross-account bucket contents, whereas registry object storage throws the error:
2023-02-06_19:30:45.91675 time="2023-02-06T14:30:45.916-05:00" level=error msg="unknown error" auth_user_name=[USERNAME] auth_user_type=personal_access_token code=UNKNOWN correlation_id=[REDACTED] detail="s3aws: AccessControlListNotSupported: The bucket does not allow ACLs\n\tstatus code: 400, request id: [REDACTED], host id: [REDACTED]" error="unknown: unknown error" go_version=go1.18.7 root_repo=[REDACTED] vars_name=[REDACTED] version=v3.63.0-gitlab