Cloud Save Query requires Write Access?

I’m running a Cloud Save Query on Public player data from the client. I have an Access Control configuration that denies all access, and allows read access to Cloud Save data for players. When I run the query I receive a 403-Forbidden error. If I change the Access Control to allow write access to Cloud Save data it works.

Can you tell me if this is expected behavior, and how should I allow queries without allowing players to write to public data?

[edit]: for clarity, below is the Access Control config I’m using:

"Statements": [
    {
    "Sid": "DenyAccessToAllServices",
    "Action": ["*"],
    "Effect": "Deny",
    "Principal": "Player",
    "Resource": "urn:ugs:",
    "Version": "1.0.0"
    },
    {
    "Sid": "allow-cloud-save-read-access",
    "Effect": "Allow",
    "Action": ["Read"],
    "Principal": "Player",
    "Resource": "urn:ugs:cloud-save:",
    "Version": "3.2.0"
    },
    {
    "Sid": "Allow-Access-Cloud-Code-Module",
    "Effect": "Allow",
    "Action": ["*"],
    "Principal": "Player",
    "Resource": "urn:ugs:cloud-code:/v1/projects//modules/*"
    }

Thanks for posting the config!

Hmm so - just to clarify! - you should be able to Query to on Player Data in the Public Access Class with read only access (but not data in other Access Classes).

I don’t know for certain why it might be requiring write access and haven’t tried to replicate this yet but I wonder if it’s because a Query uses an HTTP Post under the hood (and typically that’s considered a “write” action for a REST API but is also commonly used for any request that has a complex payload).

I vaguely recall a discussion of the trade offs we had at one point, I’ll try and find out for sure.

As an idea for a work around, I think you should be able to only allow write access to requests matching the path used for queries:

e.g. something like:

{
	"Sid": "allow-cloud-save-data-write-access",
	"Effect": "Allow",`Preformatted text`
	"Action": ["Write"],
	"Principal": "Player",
	"Resource": "urn:ugs:cloud-save:/v1/data/projects/*/players/query"
},