Xbcloud s3 get or put always makes a request to "/" resulting in 403 forbidden

I’m trying to backup to s3 using xbcloud but I get the error “xbcloud: Probe failed. Please check your credentials and endpoint settings.”

I’m using temporary AWS credentials to authenticate and this is the command I’m using:

xbcloud put example-backup --s3-access-key "${AWS_ACCESS_KEY_ID}" --s3-secret-key "${AWS_SECRET_ACCESS_KEY}" --s3-session-token "${AWS_SESSION_TOKEN}" --storage=s3 --s3-bucket=<my-bucket-here>

When I add --verbose I can see a HEAD request is made to “/” which returns a 403 as no such file exists. Here’s the request:

xbcloud put example-backup --s3-access-key "${AWS_ACCESS_KEY_ID}" --s3-secret-key "${AWS_SECRET_ACCESS_KEY}" --s3-session-token "${AWS_SESSION_TOKEN}" --storage=s3 --s3-bucket=<my-bucket-here> --verbose
*   Trying
* Connected to mybucket.s3.us-east-1.amazonaws.com ( port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=s3.amazonaws.com
*  start date: Apr  1 00:00:00 2022 GMT
*  expire date: Mar 30 23:59:59 2023 GMT
*  subjectAltName: host "mybucket.s3.us-east-1.amazonaws.com" matched cert's "*.s3.us-east-1.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
Host: mybucket.s3.us-east-1.amazonaws.com
Accept: */*
Accept-Encoding: gzip
Authorization: AWS4-HMAC-SHA256 Credential=<redacted>/20220622/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security
-token, Signature=98952075c143fc002d2816e6a209fc3a29f3086f3994012eb8b7eca263fc054c
X-Amz-Content-SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20220622T100940Z
X-Amz-Security-Token: <redacted>

< HTTP/1.1 403 Forbidden
< x-amz-bucket-region: us-east-1
< x-amz-request-id: CJS7VQG9MVP52Y01
< x-amz-id-2: vW2rmHK6dROgeN22BuXd4wGztZkzEdhlMnt9u1109rLQNQuH0aYsymMkwJMcLmAQ6+h5Ry8WI04=
< Content-Type: application/xml
< Date: Wed, 22 Jun 2022 10:09:40 GMT
< Server: AmazonS3

How do I stop this request being made? Or is there anything I can do in S3 to make this pass.
I tried to enable static hosting on the bucket with / mapped to index.html but it didn’t help.
I also tested the same temporary credentials with the Minio client and it works ok there.

1 Like

For anyone else having this issue, it was due to the IAM policy only allowing access to /* and not the root of the bucket itself. E.g this is a working policy resource list

                        Resource = [