R2 Token Permissions Not Working Right

Meekro · August 29, 2023, 6:16pm

Unless I’m missing something obvious, I’m pretty sure I’m running into an R2 bug. I’m using a token with “Object Read & Write” permissions and get AccessDenied when using rclone to write an object to the bucket. I know I have the access id & secret key correct because as soon as I switch the token permissions to “Admin Read & Write” privileges, it starts working and rclone can now write new objects to the bucket. When I switch the token back, it stops working again.

What I’m doing is very simple:

sergey@ark ~> echo Hello World > myfile.txt
sergey@ark ~> rclone copyto myfile.txt r2:mcbuilds/myfile.txt
2023/08/28 21:58:52 ERROR : myfile.txt: Failed to copy: AccessDenied: Access Denied
        status code: 403, request id: , host id:
2023/08/28 21:58:52 ERROR : Attempt 1/3 failed with 1 errors and: AccessDenied: Access Denied
        status code: 403, request id: , host id:

Cyb3r-Jak3 · August 30, 2023, 1:23am

Can you check that the token is assigned to the bucket you are trying to upload to?

Meekro · August 30, 2023, 1:35am

The token is assigned to every bucket, and the problem persists.

Meekro · August 30, 2023, 10:16pm

Turns out rclone always tries to create the bucket you’re writing to, just in case it doesn’t exist. A limited-access user doesn’t have permission to do this, so the request fails.

You can add this to your rclone.conf to turn off this behavior and fix the problem:

no_check_bucket = true