Skip to content

storage: treat 403 on HeadBucket as bucket-exists#38

Open
temap wants to merge 1 commit into
cirruslabs:mainfrom
temap:apanfilov/bucket-permissions
Open

storage: treat 403 on HeadBucket as bucket-exists#38
temap wants to merge 1 commit into
cirruslabs:mainfrom
temap:apanfilov/bucket-permissions

Conversation

@temap

@temap temap commented Jul 15, 2026

Copy link
Copy Markdown

When the caller lacks s3:ListBucket, HeadBucket returns 403 Forbidden. The object-level permissions (PutObject/GetObject) are sufficient for caching. Proceed instead of falling through to CreateBucket.

When the caller lacks s3:ListBucket, HeadBucket returns 403 Forbidden.
The object-level permissions (PutObject/GetObject) are sufficient for
caching.

Proceed instead of falling through to CreateBucket.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c9cf4685e2

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread pkg/storage/storage_s3.go
// Object-level permissions (PutObject/GetObject) are sufficient for caching.
var apiErr smithy.APIError
if errors.As(err, &apiErr) && apiErr.ErrorCode() == "Forbidden" {
s.bucketReady = true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't accept no-ListBucket mode before fixing misses

When this branch accepts a bucket whose caller lacks s3:ListBucket, ordinary cache misses stop behaving like misses: AWS documents HeadObject as returning 403 for absent objects without s3:ListBucket (docs), but cacheInfoForKey only maps 404/NoSuchKey-style errors to ErrCacheNotFound. In that permission profile, protocols that call CacheInfo will surface normal misses as errors instead of allowing uploads, so mark the bucket ready only after the miss path handles 403 appropriately for this mode.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant