S3 object store: set bucket-owner-full-control acl on upload (thanos-io#632)

amuraru · bwplotka · commit d4887bf8d64c · 2018-11-16T15:15:52.000Z
This is needed in environments where the sidecar is deployed in
one AWS account while the store bucket is owned by a different account
Without this ACL the storer cannot access data written
diff --git a/pkg/objstore/s3/s3.go b/pkg/objstore/s3/s3.go
@@ -234,7 +234,7 @@ func (b *Bucket) Exists(ctx context.Context, name string) (bool, error) {
 // Upload the contents of the reader as an object into the bucket.
 func (b *Bucket) Upload(ctx context.Context, name string, r io.Reader) error {
 	_, err := b.client.PutObjectWithContext(ctx, b.name, name, r, -1,
-		minio.PutObjectOptions{ServerSideEncryption: b.sse},
+		minio.PutObjectOptions{ServerSideEncryption: b.sse, UserMetadata: map[string]string{"X-Amz-Acl": "bucket-owner-full-control"}},
 	)
 
 	return errors.Wrap(err, "upload s3 object")

Original file line number	Diff line number	Diff line change
`@@ -234,7 +234,7 @@ func (b *Bucket) Exists(ctx context.Context, name string) (bool, error) {`
`234`	`234`	`// Upload the contents of the reader as an object into the bucket.`
`235`	`235`	`func (b *Bucket) Upload(ctx context.Context, name string, r io.Reader) error {`
`236`	`236`	`_, err := b.client.PutObjectWithContext(ctx, b.name, name, r, -1,`
`237`		`- minio.PutObjectOptions{ServerSideEncryption: b.sse},`
	`237`	`+ minio.PutObjectOptions{ServerSideEncryption: b.sse, UserMetadata: map[string]string{"X-Amz-Acl": "bucket-owner-full-control"}},`
`238`	`238`	`)`
`239`	`239`
`240`	`240`	`return errors.Wrap(err, "upload s3 object")`