bug: only anonymous permissions checked properly

[sa7mon]

Bug

The default AWS credentials file ~/.aws/credentials is not being read, thus only checks for anonymous permissions are being made. AuthUsers in the output will likely always be [] - meaning "no permissions". This can be a false negative.

Reproduction

• Create a bucket in AWS S3 with no READ permissions (except implicit permission to the owner)
• Configure credentials with aws configure
• Run s3scanner -bucket your-bucket-here
• Observe the output INFO exists | your-bucket-here | us-east-1 | AuthUsers: [] | AllUsers: []

Expected output

INFO exists | s3scanner-private | us-east-1 | AuthUsers: [READ, READACP] | AllUsers: []

Thank you to Twitter user @thaivd98 for reporting this.

[thaivd98]

thank bro :D hope it will be fixed soon 🤪

[sa7mon]

Notes

https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/auth/#identityresolver
https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws#AnonymousCredentials
https://github.com/aws/aws-sdk-go-v2/blob/main/aws/credentials.go#L119
https://stackoverflow.com/questions/72452261/changing-the-default-authentication-methods-in-the-aws-go-sdk-v2
https://github.com/aws/aws-sdk-go-v2/blob/aa796dc315dececa534dce6a2df7cd303307a0aa/config/env_config.go#L20
https://sourcegraph.com/github.com/aws/aws-sdk-go-v2@main/-/blob/internal/shareddefaults/shared_config.go?L16:6-16:31#tab=references
https://github.dev/aws/aws-sdk-go-v2/blob/aa796dc315dececa534dce6a2df7cd303307a0aa/internal/shareddefaults/shared_config.go#L14
https://github.com/aws/aws-sdk-go-v2/blob/main/config/shared_config.go

https://news.ycombinator.com/item?id=40531301
https://news.ycombinator.com/item?id=40533318