[SOLVED] Ansible S3 object upload to Backblaze returns 403 for PutObjectAcl

Ansible S3 object upload to Backblaze returns 403 for PutObjectAcl

I am trying to use Ansible's community S3 task to upload a file to S3 compatible Backblaze but alas no success.

My task definition is:

- name: Install required dependencies
  pip: name=boto3

- name: Copy backup files to S3 bucket
  amazon.aws.aws_s3:
    bucket: personal-backup
    object: "{{ inventory_hostname }}/{{ item }}"
    src: "{{ item }}"
    mode: put
    permission: "private"
    s3_url: "https://s3.us-west-002.backblazeb2.com"
  environment:
    AWS_ACCESS_KEY: "<redacted>"
    AWS_SECRET_ACCESS_KEY: "{{ personal_backup_secret }}"
  loop: "{{ backup_files }}"

Which seems like it should be correct. But I keep getting this error:

{"ansible_loop_var": "item", "boto3_version": "1.20.37", "botocore_version": "1.23.37", "changed": false, "error": {"code": "AccessDenied", "message": "not entitled"}, "item": "/home/user/file.txt", "msg": "Unable to set object ACL: An error occurred (AccessDenied) when calling the PutObjectAcl operation: not entitled", "response_metadata": {"host_id": "aZWQ4m", "http_headers": {"cache-control": "max-age=0, no-cache, no-store", "content-length": "139", "content-type": "application/xml", "date": "Sun, 16 Jan 2022 23:40:01 GMT", "x-amz-id-2": "aZWQ4mDC", "x-amz-request-id": "9c8d9f2f6"}, "http_status_code": 403, "request_id": "9c8d9f2f61", "retry_attempts": 0}}

Which is odd because according to BackBlaze documentation:

The Put Object ACL call only supports the same canned ACL values mentioned previously. The call will succeed only when specified ACL matches the ACL of the bucket.

Meaning that the object permission ("private") needs to match the bucket permission... but my bucket is marked as private so that should already be okay. The application key I am using does have "writeFiles" permission (confirmed in UI) which should have access to "Put Object ACL" as per the same Backblaze documentation page.

So, I am surprised it doesnt work, and not sure how to work around it. Anyone get Ansible working with Backblaze before? Thanks!

Edit: Oh, the upload actually worked (it takes a while before it shows up in the UI). But it does still error out which is not good for an Ansible task. I guess it must upload as one step internally, then try to adjust ACL as another step which is the part that fails.

Solution

For those who stumble upon this ... the solution is to generate an access key that has "writeBuckets" permission (this is set by selecting "all" in the screenshot below, instead of selecting a particular bucket).

This is obviously a non-ideal solution because then you have to have that application key get access to all buckets, not just the one that you want for that particular application use case (which is against security best practices). That doesn't seem like it should be necessary for all because you are only ever interacting with that single bucket.

I am going to give feedback to Backblaze team that it is not ideal.