Skip to content

Support uploads when ACL is disabled on an AWS S3 bucket

Problem

Not everyone uses buckets with ACL on S3, instead some use S3 Object Ownership which is relatively newer and relies on the IAM policies of the AWS account tor access control. The registry on the other hand appears to explicitly use the ACL option when uploading Objects (reference) even when not explicitly indicated by the user.

Because of this we might run into the issue where the registry is not able to perform uploads/downloads from the s3 bucket because it is explicitly specifying to S3 to use specific ACLs when S3 may not be configured to use ACL at all, Causing the registry to fail like so:

2023-02-06_19:30:45.91675 time="2023-02-06T14:30:45.916-05:00" level=error msg="unknown error" auth_user_name=[USERNAME] auth_user_type=personal_access_token code=UNKNOWN correlation_id=[REDACTED] detail="s3aws: AccessControlListNotSupported: The bucket does not allow ACLs\n\tstatus code: 400, request id: [REDACTED], host id: [REDACTED]" error="unknown: unknown error" go_version=go1.18.7 root_repo=[REDACTED] vars_name=[REDACTED] version=v3.63.0-gitlab

with focus on:

detail="s3aws: AccessControlListNotSupported: The bucket does not allow ACLs\n\tstatus code: 400

This needs to be investigated first to confirm and then fixed (if needed)

The current workaround would be to enable ACL for the S3 buckets.

Environment Setup that triggers this issue:

from Slack:

GitLab is on an EC2 instance with an IAM role granting S3FullAccess and as well, they don’t have the aws_access_key_id and aws_secret_access_key in their gitlab.rb. aws s3 ls successfully lists the cross-account bucket contents, whereas registry object storage throws the error:

2023-02-06_19:30:45.91675 time="2023-02-06T14:30:45.916-05:00" level=error msg="unknown error" auth_user_name=[USERNAME] auth_user_type=personal_access_token code=UNKNOWN correlation_id=[REDACTED] detail="s3aws: AccessControlListNotSupported: The bucket does not allow ACLs\n\tstatus code: 400, request id: [REDACTED], host id: [REDACTED]" error="unknown: unknown error" go_version=go1.18.7 root_repo=[REDACTED] vars_name=[REDACTED] version=v3.63.0-gitlab
Edited by SAhmed