fix: s3proxy get bucket acl when no acl exists in s3 service

For s3 proxy backend, the ACLs are stored in bucket tags to not conflict with the underlying s3 object store ACLs. If the tag for the gatway ACLs does not exist for the bucket, then we were incorrectly returning the NoSuchTagSet from teh tag lookup. Instead, in this case we need to just return the default gateway bucket ACL, which is the root account ownership. Side note that there is currently a bug in the go sdk where the NoSuchTagSet is not defained as an error type, and a workaround for string matching is required until this is addressed. https://github.com/aws/aws-sdk-go-v2/issues/2878
2025-12-23 05:05:16 +00:00 · 2025-02-24 10:36:54 -08:00
parent dcfff94abc
commit ee64d7f846
1 changed files with 9 additions and 0 deletions
--- a/backend/s3proxy/s3.go
+++ b/backend/s3proxy/s3.go
@@ -25,6 +25,7 @@ import (
 	"io"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -518,6 +519,14 @@ func (s *S3Proxy) GetBucketAcl(ctx context.Context, input *s3.GetBucketAclInput)
 		Bucket: input.Bucket,
 	})
 	if err != nil {
+		var ae smithy.APIError
+		if errors.As(err, &ae) {
+			// sdk issue workaround for missing NoSuchTagSet error type
+			// https://github.com/aws/aws-sdk-go-v2/issues/2878
+			if strings.Contains(ae.ErrorCode(), "NoSuchTagSet") {
+				return []byte{}, nil
+			}
+		}
 		return nil, handleError(err)
 	}