Opened 9 months ago

Last modified 9 months ago

#12663 moreinfo Bug report

Error: Please verify the user name and password used to connect.

Reported by: itsupport Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc:
Component version: Operating system type: Windows
Operating system version:

Description

Hello,

We have FileZilla Pro and connecting to an S3 bucket via a IAM user creds access and secrete key. The policy we have will allow users to see all buckets and go inside the buckets to view sub-folders.

However we are having an issue with connecting to the actual buckets with it returning an error "Error: Please verify the user name and password used to connect"

Any thoughts as to why this is happening when the policy should allow the access? Just another piece of info. We also use cloudberry and it allows access to those buckets.

Attachments (1)

FileZilla.log (2.0 KB ) - added by itsupport 9 months ago.
Here is a copy of the log when it happens. I have my keys stored in the site manager like they should so I don't know why it's asking for username and password to be verified.

Download all attachments as: .zip

Change History (8)

comment:1 by Tim Kosse, 9 months ago

Status: newmoreinfo

Please attach a complete log of this happening.

by itsupport, 9 months ago

Attachment: FileZilla.log added

Here is a copy of the log when it happens. I have my keys stored in the site manager like they should so I don't know why it's asking for username and password to be verified.

comment:2 by Tim Kosse, 9 months ago

Does the policy have s3:ListBucket on the bucket?

comment:3 by itsupport, 9 months ago

Status: moreinfonew

The policy does have s3:ListBucket. I will let you know I am using a wildcard in the Resource bucket name in order for it to find the name in over 200 bucekts. I'm not sure if FileZilla doesn't like the use of this wild card.

I was able to take a full bucket name and add it to the policy and was able to connect right away to that bucket. Example is below

"Resource": [

"arn:aws:s3:::Thisisatest-client-prd*"

comment:4 by itsupport, 9 months ago

Any word or are you able to find anything out?

comment:5 by Tim Kosse, 9 months ago

Status: newmoreinfo

Not sure I understand the example, it doesn't contain a full bucket name. Is it truncated? Another oddity with the example is the uppercase letter in the ARN.

Since listing available buckets works, but listing the objects within a bucket doesn't, means that at the very least the provided credentials are working and recognized by AWS. However the policy doesn't allow access to the requested bucket.

comment:6 by itsupport, 9 months ago

Status: moreinfonew

The example is showing the bucket name with a wild card. We have over 200 buckets that follow the same suit starting out with "awscheetah-client-prd-xxxxx" xxxxx representing the client name/id. We use a wild card * at the end of the first part so that it recognizes all of the clients instead of having to completely write out the whole bucket for each client which would make the policy giant.

Inside our policy we list our sub-folders inside the buckets which should allow us to go inside that bucket and view those folders. We have this same policy for several users and it works everywhere minus FileZilla.

Does FileZilla restrict using wildcards inside a bucket policy name vs listing out the whole bucket name?

comment:7 by Tim Kosse, 9 months ago

Status: newmoreinfo

Inside our policy we list our sub-folders inside the buckets which should allow us to go inside that bucket and view those folders. We have this same policy for several users and it works everywhere minus FileZilla.

What about the permissions to list from the root of that bucket? If you do not have permission to list the root, you need to enter the specific subdirectory in the bucket as default remote directory in the Site Manager, e.g. /bucketname/subdir/you/can/access

Does FileZilla restrict using wildcards inside a bucket policy name vs listing out the whole bucket name?

Clients do not care at all about what's in a policy. Policies are entirely enforced server-side.

There must be something wrong with your policy. When I create a policy to grant access to specific buckets, with wildcards, and assign this policy to an IAM user, everything works just as expected. Please attach your policy in its entirety so that I can check what may be wrong.

Note: See TracTickets for help on using tickets.