Unable to list buckets in AWS CLI
Problem
A tenant was unable to list the contents of buckets when using the AWS CLI.
The following error was thrown:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Unknown
Solution
If a user has put a policy in place that prevents the listing of buckets, this
indicates that the policy has been created with the radosgw-admin --admin
command. Such a user will have admin: true in the output of the
radosgw-admin user into --uid <user> command.
However, there is a bug that complicates this. Policies created on earlier Ceph versions cannot be parsed on more recent Quincy releases (https://tracker.ceph.com/issues/63485).
This bug affected Quincy v17.2.7. This bug was fixed in Quincy 17.2.8.
One solution is to install Quincy 17.2.8.
Another solution is to remove a bucket policy that fails to parse and throws
the error Error reading IAM Policy by following these steps:
-
Find the bucket's instance ID by using the
bucket statscommand:$ radosgw-admin bucket stats --bucket {bucketname} | grep id -
Use the RADOS tool to remove the bucket policy attribute
{user.rgw.iam-policy}from the bucket instance metadata object:$ rados -p default.rgw.meta -N root rmxattr .bucket.meta.{bucketname}:{bucketId} user.rgw.iam-policy -
Restart the RGW daemons or clear their metadata caches so that radosgws doesn't continue to cache the existing bucket metadata and xattrs:
$ ceph daemon client.rgw.xyz.cache zap