Add tests for auto bucket region on priv/pubic bucket

Signed-off-by: Tiger Kaovilai <[email protected]>

Author: kaovilai

go.mod

@@ -31,8 +31,8 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.1
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1
-	github.com/aws/aws-sdk-go-v2 v1.30.3
 	github.com/aws/aws-sdk-go-v2/config v1.26.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.26
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0
 	github.com/deckarep/golang-set/v2 v2.3.0
@@ -60,8 +60,8 @@ require (
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.26 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect

pkg/storage/aws/s3.go

@@ -6,8 +6,8 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	"github.com/aws/aws-sdk-go/aws/request"
@@ -29,15 +29,23 @@ func GetBucketRegion(bucket string) (string, error) {
 	// Client therefore needs to be configured with region.
 	// In local dev environments, you might have ~/.aws/config that could be loaded and set with default region.
 	// In cluster/CI environment, ~/.aws/config may not be configured, so set hinting region server explicitly.
-	// Also set to use anonymous credentials. If the bucket is private, this function would not work unless we modify it to take credentials.
+	// Also set to use anonymous credentials. This works for both public and private buckets as AWS Security
+	// confirmed that HeadBucket API (used by GetBucketRegion) doesn't enforce s3:ListBucket permissions
+	// for region retrieval - this is expected AWS behavior.
 	cfg, err := config.LoadDefaultConfig(context.Background(),
 		config.WithRegion("us-east-1"), // This is not default region being used, this is to specify a region hinting server that we will use to get region from.
-		config.WithCredentialsProvider(aws.AnonymousCredentials{}),
 	)
 	if err != nil {
 		return "", err
 	}
-	region, err = manager.GetBucketRegion(context.Background(), s3.NewFromConfig(cfg), bucket)
+	region, err = manager.GetBucketRegion(context.Background(), s3.NewFromConfig(cfg), bucket, func(o *s3.Options) {
+		// AWS Security confirmed that anonymous credentials can be used here for GetBucketRegion.
+		// The HeadBucket API endpoint used internally by GetBucketRegion does not enforce
+		// s3:ListBucket permissions for retrieving bucket region information.
+		// Reference: AWS Security response (Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg)
+		// This is expected AWS behavior, not a security vulnerability.
+		o.Credentials = credentials.NewStaticCredentialsProvider("anon-credentials", "anon-secret", "")
+	})
 	if region != "" {
 		return region, nil
 	}

pkg/storage/aws/s3_test.go

@@ -14,12 +14,38 @@ func TestGetBucketRegion(t *testing.T) {
 		wantErr bool
 	}{
 		{
+			// Public bucket with s3:ListBucket permission works anonymously
+			// Note: While the bucket policy includes s3:ListBucket permission (shown below),
+			// AWS Security confirmed that HeadBucket API doesn't actually enforce this
+			// permission for region retrieval. The GetBucketRegion operation works with
+			// anonymous credentials on both public and private buckets.
+			// {
+			// 	"Version": "2012-10-17",
+			// 	"Statement": [
+			// 		{
+			// 			"Sid": "publicList",
+			// 			"Effect": "Allow",
+			// 			"Principal": "*",
+			// 			"Action": "s3:ListBucket",
+			// 			"Resource": "arn:aws:s3:::openshift-velero-plugin-s3-auto-region-test-1"
+			// 		}
+			// 	]
+			// }
+			// ❯ aws s3api head-bucket --bucket openshift-velero-plugin-s3-auto-region-test-1 --no-sign-request
+			// {
+			//     "BucketRegion": "us-east-1",
+			//     "AccessPointAlias": false
+			// }
 			name:    "openshift-velero-plugin-s3-auto-region-test-1",
 			bucket:  "openshift-velero-plugin-s3-auto-region-test-1",
 			region:  "us-east-1",
 			wantErr: false,
 		},
 		{
+			// Private bucket - AWS Security confirmed that HeadBucket API (used by GetBucketRegion)
+			// does NOT require credentials with s3:ListBucket permission for region retrieval.
+			// This is expected AWS behavior, not a security vulnerability.
+			// Reference: AWS Security Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg
 			name:    "openshift-velero-plugin-s3-auto-region-test-2",
 			bucket:  "openshift-velero-plugin-s3-auto-region-test-2",
 			region:  "us-west-1",