From d49c5e2b32273c2902b7bba6d28094961d940f5a Mon Sep 17 00:00:00 2001 From: Nathan Handler Date: Tue, 28 Mar 2023 14:37:21 -0700 Subject: [PATCH] Don't Specify an ACL by Default (Fixes #110) ACLs in S3 predate IAM. They are also no longer recommended. Instead, users are encouraged to rely on IAM and Bucket Policies to manage access. Amazon is even going to start disabling ACLs on new buckets (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/ensure-object-ownership.html).Users are also generally encouraged to set `BucketOwnerEnforced` on existing buckets to disable ACLs. When ACLs are disabled on a bucket, attempts to call `s3:PutObject` while specifying an `acl` parameter will cause an `AccessControlListNotSupported` error from AWS specifying that `The bucket does not allow ACLs`. This change updates the plugin so that there is no longer a default value for the ACL. The plugin will now only pass an ACL to `s3:PutObject` if one is explicitly specified by the user. --- main.go | 1 - plugin.go | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index cc2c333..ff8e90b 100644 --- a/main.go +++ b/main.go @@ -67,7 +67,6 @@ func main() { cli.StringFlag{ Name: "acl", Usage: "upload files with acl", - Value: "private", EnvVar: "PLUGIN_ACL", }, cli.StringFlag{ diff --git a/plugin.go b/plugin.go index b4757e4..85fc85c 100644 --- a/plugin.go +++ b/plugin.go @@ -194,7 +194,6 @@ func (p *Plugin) Exec() error { Body: f, Bucket: &(p.Bucket), Key: &target, - ACL: &(p.Access), } if contentType != "" { @@ -217,6 +216,10 @@ func (p *Plugin) Exec() error { putObjectInput.StorageClass = &(p.StorageClass) } + if p.Access != "" { + putObjectInput.ACL = &(p.Access) + } + _, err = client.PutObject(putObjectInput) if err != nil {