(synthetics): getbucketlocation policy is incorrect #13572
Comments
csumpter
added
bug
github-actions
bot
added
the
@aws-cdk/aws-synthetics
When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action. The policy should allow for that call directly on the bucket arn. fixes aws#13572
|
What error are you seeing? Is it specific to the runtime you are using? Would be helpful if you can attache the documentation supporting the need to add this policy. We tested this use case when we wrote the construct and it work. I'm also troubled with the years old question "how did it work till now?" |
|
Hello @NetaNir - thank you for taking the time to respond. The specific runtime is ...
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::cw-syn-results-<account-id>-us-east-1/canary/us-east-1/testscanary-733-11b42a87105e/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::cw-syn-results-<account-id>-us-east-1"
]
},
...Versus the synthetics-cdk default role that gets provisioned is equivalent to: {
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::cw-syn-results-<account-id>-us-east-1/canary/us-east-1/testscanary-733-11b42a87105e/*"
]
},The above policy generates the following error in the canary logs:
|
peterwoodworth
added
p2
and removed
needs-triage
|
I am marking this issue as p2, which means that we are unable to work on this immediately. We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization. |
|
We've just run across this issue, would be great if it could be fixed. |
|
There is an open PR for a fix for this issue. Would it be possible to review that and merge? |
When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action. The policy should allow for that call directly on the bucket arn. fixes #13572 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action. The policy should allow for that call directly on the bucket arn. fixes aws#13572 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action. The policy should allow for that call directly on the bucket arn. fixes aws#13572 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Synthetics canary default role policy contains the incorrect arn syntax for a call to
s3:GetBucketLocationWhen using Synthetics runtime "syn-nodejs-puppeteer-3.1" the canary will try to call
s3:GetBucketLocationbut with an improper policy which will result in denied access.Reproduction Steps
minimal amount of code that causes the bug (if possible) or a reference:
The current implementation on
masteris bugged:What did you expect to happen?
Allow the "syn-nodejs-puppeteer-3.1" runtime to operate correctly without generating IAM access denied errors.
What actually happened?
The role will be denied access by IAM get call
s3:GetBucketLocationon that S3 bucket.Environment
Other
Should be fixed by creating a separate policy that breaks
s3:GetBucketLocationout into a separate policy that is targeted specifically at just the bucket arn:This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: