Fix Principal in AWS verification bucket policy #2266
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Principal listed in a bucket policy needs to follow the correct syntax or it will be rejected as a bad bucket policy. configure_aws_verification_bucket is used to set the policy for the user verification bucket. I have no idea how I committed this with a broken policy but it seems like this never worked to begin with :) There shouldn't be any security implications to allowing any principal to access the bucket. We're verifying on the server side that the appropriate parameters are included in the URL, which implies that the requester is actually logged in to an AWS user account.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In testing the new AWS user verification feature (see #2121), we found that the bucket policy written in the code didn't match the policy I had actually set for the
bm-uverify-test1demo bucket. (Sorry, I guess I never tested the final version of that code.)We need to allow any principal, not only principals matching a pattern.
This new version of the policy has been tested on my personal AWS account, so hopefully it should work when we do the same on the PhysioNet account.