Accessing Argo artifacts pointing a S3 folder returns Unauthorized #15800
Description
Pre-requisites
- I have double-checked my configuration
- I have tested with the
:latestimage tag (i.e.quay.io/argoproj/workflow-controller:latest) and can confirm the issue still exists on:latest. If not, I have explained why, in detail, in my description below. - I have searched existing issues and could not find a match for this bug
- I'd like to contribute the fix myself (see contributing guide)
What happened? What did you expect to happen?
We have been using 3.6.15 for a while and now wanted to take >3.7.11 for the vulnerabilities fixes.
But then we face the issue that with versions containing this change (we tested 3.6.17 and 3.7.8), artifacts that points to folders in S3 with multiple files are returning "Unathorized".
Using versions before that change was introduced (3.6.16, 3.7.7) worked normally, showing our files in the folder.
Example:
URL: https://argo.server/artifact-files/argo-workflows-managed-[…]6d-363974844/outputs/dem-tiles/batch_0/
- With >=3.6.17, >=3.7.8: Unauthorized
- With previous versions: Can see the files in the folder
No relevant logs can be found in the server pods
Version(s)
v3.6.17, v3.6.19, v3.7.8, v3.7.12
Paste a minimal workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflow that uses private images.
metadata:
name: wonderful-octopus
namespace: argo-workflows-managed-development
labels:
example: "true"
spec:
entrypoint: write-files
templates:
- name: write-files
container:
image: alpine:3.19
command: [sh, -c]
args:
- |
mkdir -p /workvol/out/test
echo "hello from file 1" > /workvol/out/test/file1.txt
echo "hello from file 2" > /workvol/out/test/file2.txt
outputs:
artifacts:
- name: file1
path: /workvol/out/test/file1.txt
archive:
none: {}
- name: output-folder
path: /workvol/out
archive:
none: {}
ttlStrategy:
secondsAfterCompletion: 300Logs from the workflow controller
No logs (we have warning level)
Logs from in your workflow's wait container
No logs