“Show complete raw” while we access this page, the s3 URL is generated for Jobs Logs in a raw format, if we copy that url and try to access in private window, the complete Logs we will be able to view without any credentials for 5 min.
Below is the URL while we click on “Show complete raw” under pipeline/jobs
https://bucket-gitlab-artifacts.s3.eu-central-1.amazonaws.com/aa/f5/aaf50xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/2023_04_01/12111958/13925749/job.log?response-content-type=text%2Fplain%3B charset%3Dutf-8&response-content-disposition=inline&X-Amz-Expires=600&X-Amz-Date=20230404T080527Z&X-Amz-Security-Token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAlgorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXXXXXXXXXX%2F20230404%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Below screenshot shows the bucket permission which we have set in s3
below is the configuration which we have set in gitlab.rb file
gitlab_rails['artifacts_object_store_enabled'] = true
gitlab_rails['artifacts_object_store_remote_directory'] = "bucket-gitlab-artifacts"
gitlab_rails['artifacts_object_store_connection'] = {
'provider' => 'AWS',
'region' => 'eu-central-1',
'use_iam_profile' => true
}
As this url generated is a pre-signed url, is there any way we can request for user credential validation if we try access from private window?
Kindly let us know, how we can avoid this security issue?