vagrant-s3auth 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 497d147d5fb4636bd0653dcc502062c8ee3ccbc1
-  data.tar.gz: e1c85dcd893e04a9a74e65c3c6b709620d31cfde
+  metadata.gz: a06edc23d119892ccc9f71721ea458fc20485102
+  data.tar.gz: 2f402e2d249ab5db39a2e134030abd29b2d268ff
 SHA512:
-  metadata.gz: 7f6a8b6450e73759490ff0ae77f365283f47fc591f2b3a45e9bde151495aed5e63ef780ec33a794f6e8d92d543f32f1e2327ad50f2f8f43a9dec370997c00e55
-  data.tar.gz: df4ba738e97b5eceec09d7e02654b4bf3b2c17e74ada47db61f6507bb9a22d84f2cd241e62deb1dfab548f821cc838709cf6e8f0ad95f1ec671a171333f2c020
+  metadata.gz: d8e0d925b25da57e804918b179b956e15e09c83317f2aa1cdbc2ae3d9809128430b7c1f87ca3d951d446c34ca696dc1db9dc0ac94420e0225b388bea0d4924da
+  data.tar.gz: 9fdf565b0630c9efcb9a4aa1f220d4b01f2a6639a65b6d7c03687570d545ba6109cee4e2488552add9a56d631c347d5ef63f555607061d05f9dffd466a74d16f

data/.rubocop.yml

@@ -2,7 +2,7 @@ Lint/AssignmentInCondition:
   Enabled: false
 
 Metrics/AbcSize:
-  Max: 30
+  Max: 40
 
 Metrics/CyclomaticComplexity:
   Max: 12
@@ -12,7 +12,7 @@ Metrics/LineLength:
 
 Metrics/MethodLength:
   CountComments: false
-  Max: 20
+  Max: 25
 
 Metrics/PerceivedComplexity:
   Max: 15

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 1.0.2
+
+**25 December 2014**
+
+Enhancements:
+
+* provide better error messages when S3 API requests are denied [#9]
+* include IAM policy recommendations in README
+
 ## 1.0.1
 
 **21 December 2014**
@@ -50,3 +59,4 @@ Enhancements:
 
 [#1]: https://github.com/WhoopInc/vagrant-s3auth/issues/1
 [#7]: https://github.com/WhoopInc/vagrant-s3auth/issues/7
+[#9]: https://github.com/WhoopInc/vagrant-s3auth/issues/9

data/Gemfile.lock

@@ -23,7 +23,7 @@ GIT
 PATH
   remote: .
   specs:
-    vagrant-s3auth (1.0.1)
+    vagrant-s3auth (1.0.2)
       aws-sdk (~> 1.59.1)
 
 GEM

data/README.md

@@ -60,6 +60,34 @@ ENV['AWS_ACCESS_KEY_ID']     = creds[0].chomp
 ENV['AWS_SECRET_ACCESS_KEY'] = creds[1].chomp
 ```
 
+##### IAM configuration
+
+IAM accounts will need at least the following policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::BUCKET/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
+      "Resource": "arn:aws:s3:::BUCKET"
+    }
+  ]
+}
+```
+
+`s3:ListBucket` permission is not strictly necessary. vagrant-s3auth will never
+make a ListBucket request, but without ListBucket permission, a misspelled box
+name results in a 403 Forbidden error instead of a 404 Not Found error.
+
+See [AWS S3 Guide: User Policy Examples][aws-user-policy] for more.
+
 #### S3 URLs
 
 You can use any valid HTTP(S) URL for your object:
@@ -188,6 +216,7 @@ end
 
 
 [aws-signed]: http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#ConstructingTheAuthenticationHeader
+[aws-user-policy]: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html
 [bucket-vhost]: http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html#VirtualHostingExamples
 [metadata-boxes]: http://docs.vagrantup.com/v2/boxes/format.html
 [vagrant]: http://vagrantup.com

data/lib/vagrant-s3auth/errors.rb

@@ -15,6 +15,10 @@ module VagrantPlugins
         error_key(:malformed_shorthand_url)
       end
 
+      class BucketLocationAccessDeniedError < VagrantS3AuthError
+        error_key(:bucket_location_access_denied_error)
+      end
+
       class S3APIError < VagrantS3AuthError
         error_key(:s3_api_error)
       end

data/lib/vagrant-s3auth/extension/downloader.rb

@@ -27,6 +27,14 @@ module Vagrant
         end
 
         execute_curl_without_s3(options, subprocess_options, &data_proc)
+      rescue Errors::DownloaderError => e
+        if e.message =~ /403 Forbidden/
+          e.message << "\n\n"
+          e.message << I18n.t('vagrant_s3auth.errors.box_download_forbidden',
+            access_key: ENV['AWS_ACCESS_KEY_ID'],
+            bucket: s3_object && s3_object.bucket.name)
+        end
+        raise
       rescue AWS::Errors::MissingCredentialsError
         raise VagrantPlugins::S3Auth::Errors::MissingCredentialsError
       rescue AWS::Errors::Base => e

data/lib/vagrant-s3auth/util.rb

@@ -46,6 +46,10 @@ module VagrantPlugins
 
       def self.get_bucket_region(bucket)
         LOCATION_TO_REGION[AWS::S3.new.buckets[bucket].location_constraint]
+      rescue AWS::S3::Errors::AccessDenied
+        raise Errors::BucketLocationAccessDeniedError,
+          bucket: bucket,
+          access_key: ENV['AWS_ACCESS_KEY_ID']
       end
     end
   end

data/lib/vagrant-s3auth/version.rb

@@ -1,5 +1,5 @@
 module VagrantPlugins
   module S3Auth
-    VERSION = '1.0.1'
+    VERSION = '1.0.2'
   end
 end

data/locales/en.yml

@@ -21,3 +21,28 @@ en:
         Unable to communicate with Amazon S3 to download box. The S3 API reports:
 
             %{error}
+
+      bucket_location_access_denied_error: |-
+        Request for box's Amazon S3 region was denied.
+
+        This usually indicates that your user account with access key ID
+
+            %{access_key}
+
+        is misconfigured. Ensure your IAM policy allows the "s3:GetBucketLocation"
+        action for your bucket:
+
+            arn:aws:s3:::%{bucket}
+
+      box_download_forbidden: |-
+        This box is hosted on Amazon S3. A 403 Forbidden error usually indicates
+        that your user account with access key ID
+
+            %{access_key}
+
+        is misconfigured. Ensure your IAM policy allows the "s3:GetObject"
+        action for your bucket:
+
+            arn:aws:s3:::%{bucket}/*
+
+        It may also indicate the box does not exist, so check your spelling.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vagrant-s3auth
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Nikhil Benesch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-21 00:00:00.000000000 Z
+date: 2014-12-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk