Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

s3.Bucket: CDK Deploy: s3:PutBucketPolicy Access Denied #25983

Open
0xdevalias opened this issue Jun 15, 2023 · 14 comments
Open

s3.Bucket: CDK Deploy: s3:PutBucketPolicy Access Denied #25983

0xdevalias opened this issue Jun 15, 2023 · 14 comments
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@0xdevalias
Copy link
Contributor

0xdevalias commented Jun 15, 2023

Describe the bug

When creating a new S3 bucket with publicReadAccess set to true:

const siteBucket = new Bucket(this, 'SiteBucket', {
  // ..snip..
  publicReadAccess: true,
  // ..snip..
})

Since the new AWS defaults on public buckets:

Attempting to deploy the stack will fail with an error like this:

CREATE_FAILED        | AWS::S3::BucketPolicy                | SiteBucketPolicy3AC1D0F8
API: s3:PutBucketPolicy Access Denied

Expected Behavior

Given this seems to be incompatible with the new defaults on AWS, I would expect that this should do some measure of:

  • Throw a TypeScript error as a disallowed combination of keys
  • Throw an actual runtime error + explain how to resolve it
  • Automagically set/default the underlying permissions/control policies/etc so that the code continues to 'just work' as expected; without needing to know the depths and intrinsic relations of the various settings to one another
  • Etc

Current Behavior

See above

Reproduction Steps

Deploy a stack with a new S3 Bucket with publicReadAccess set to true.

Possible Solution

See above + the solutions given on the following:

Additional Information/Context

Both of these are the same issue, but those users closed them prematurely as 'user issues', when in fact the CDK should more explicitly and correctly handle this situation:

This Reddit thread also contains a number of people who hit this same issue:

This is also the same root issue I believe, yet it mistakenly claims that it should be fixed from aws-cdk-lib >=2.77.0, but it seems to miss the edge case of the publicReadAccess key being set to true creating a AWS::S3::BucketPolicy:

You can also see my full original notes on this comment:

These sections of the docs may also be relevant:

CDK CLI Version

2.84.0

Framework Version

2.84.0

Node.js Version

v16.15.1

OS

macOS Ventura 13.3.1

Language

Typescript

Language Version

No response

Other information

N/A

@pahud
Copy link
Contributor

pahud commented Jun 15, 2023

Yes this makes sense to me. We should improve the user experience in this use case. I am making it a feature request and any pull request would be highly welcome and appreciated.

@pahud pahud added feature-request A feature should be added or improved. p2 effort/small Small work item – less than a day of effort and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 15, 2023
@0xdevalias
Copy link
Contributor Author

Not saying I will have capacity to look at implementing this, but a few initial code references/exploration for future me, or anyone who feels like improving this DX.


From #25358

If you meet any of the following criteria then you are not affected and can stop reading:

You are using aws-cdk-lib >= 2.60.0, the feature flag @aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy: true is set, and you are not using CloudFront logging; OR
You are using aws-cdk-lib >= 2.77.0

Looking at the CHANGELOG v2

Some relevant references/snippets from those issues/PRs:

I believe we should improve the property validation in L2 Bucket construct to improve better user experience.

Originally posted by @pahud in #25288 (comment)

Set ObjectOwnership: ObjectWriter automatically if and only if:

  • It is not provided by the user
  • AccessControl ACLs are configured (only if AccessControl != PRIVATE)

If the user does supply ObjectOwnership != ObjectWriter AND they try to set ACLs, we should error.

ObjectWriter was essentially the default behavior before the change to disable ACLs by default for new buckets so though this will update existing buckets it should not cause any breakage or replacement.

Originally posted by @MrArnoldPalmer in #25303

In #25303, changes were made to:

  • https://github.com/aws/aws-cdk/pull/25303/files
    • packages/aws-cdk-lib/aws-s3/lib/bucket.ts
      • Added the objectOwnership property to BucketBase (but seemingly not IBucket?)
      • Makes some changes to how ownershipControls and parseOwnershipControls work
        • ⚠️ I would need to look / think deeper about how the code here is used.. but at first glance, this sounds like it could be a relevant place to be adding functionality to fix this PR maybe?
    • packages/aws-cdk-lib/aws-s3/test/bucket.test.ts
    • packages/@aws-cdk-testing/framework-integ/test/aws-s3/test/integ.bucket-acls.ts

Starting from April 2023, all newly created S3 buckets by default have S3 Block Public Access enabled and access control lists (ACLs) disabled, and this prevents the default logBucket for cloudfront to be created. This PR adds the ObjectOwnership property to ObjectWriter that allows the default log bucket to be successfully created.

Originally posted by @pahud in #25298

In #25298, changes were made to:

  • packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
    • Make sure to set objectOwnership to s3.ObjectOwnership.OBJECT_WRITER in your custom bucket.

      • This was added as a comment.. but it doesn't look like it's enforced in any types/etc.. I wonder if that can be made better?
      • Added objectOwnership: s3.ObjectOwnership.OBJECT_WRITER, to the logBucket created
  • packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
  • packages/aws-cdk-lib/aws-cloudfront/README.md

  • packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.ts
  • packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-extensive.js.snapshot/ (multiple files)
  • packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-logbucket.js.snapshot/ (multiple files)

Based on the above exploration, I think looking at parseOwnershipControls in packages/aws-cdk-lib/aws-s3/lib/bucket.ts would be a good place to start:

  • private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined {
    // Enabling an ACL explicitly is required for all new buckets.
    // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
    const aclsThatDoNotRequireObjectOwnership = [
    BucketAccessControl.PRIVATE,
    BucketAccessControl.BUCKET_OWNER_READ,
    BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
    ];
    const accessControlRequiresObjectOwnership = (this.accessControl && !aclsThatDoNotRequireObjectOwnership.includes(this.accessControl));
    if (!this.objectOwnership && !accessControlRequiresObjectOwnership) {
    return undefined;
    }
    if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {
    throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`);
    }
    return {
    rules: [{
    objectOwnership: this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER,
    }],
    };
    }

Without thinking about it too deeply, I think it might be relevant to add another check within this function (similar to accessControlRequiresObjectOwnership) for whether publicReadAccess is set to true, and if so, also require objectOwnership to be set to ObjectOwnership.OBJECT_WRITER.

I haven't looked too deeply to see if there are other cases throughout the CDK where there are other features that would cause this to need to be configured.

I also feel like we could potentially do something useful with the TypeScript types to pre-emptively inform the user that they are trying to do an invalid thing if they try and explicitly set objectOwnership to a value that is incompatible with:

  • the provided accessControl setting
  • the provided publicReadAccess setting
  • etc

@MrArnoldPalmer
Copy link
Contributor

I also feel like we could potentially do something useful with the TypeScript types to pre-emptively inform the user that they are trying to do an invalid thing if they try and explicitly set objectOwnership to a value that is incompatible with:

I don't think there is a great way to do this, usually we do this type of mutual exclusivity by manually detecting conflicting values and then throwing an error. That being said.

whether publicReadAccess is set to true, and if so, also require objectOwnership to be set to ObjectOwnership.OBJECT_WRITER.

Should we detect of publicReadAccess is set to true and then set objectOwnership ourselves? or should we throw and error and require the user to set it? The former seems to be easiest for the user and likely is what they expect.

@0xdevalias
Copy link
Contributor Author

Should we detect of publicReadAccess is set to true and then set objectOwnership ourselves? or should we throw and error and require the user to set it? The former seems to be easiest for the user and likely is what they expect.

@MrArnoldPalmer I think handling it for the user if they only specified publicReadAccess is definitely the better way, and in line with the existing patterns (Ref)

BUT, with the caveat that if they explicitly try to set the other 1-2 related properties to an invalid value (thus overriding the defaults), I would expect it to have a runtime error (which is in line with the existing patterns (Ref)), but also to give that guidance to me at 'dev time' through the TypeScript types.

@0xdevalias
Copy link
Contributor Author

0xdevalias commented Jun 28, 2023

Does someone has a working solution to deploy a public S3 bucket with CDK ?

@Aarbel Did you look at the stuff in #25983 ?

Eg. From the background research I did on that issue, I linked to this PR:

Which seemed to just be able to add objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,

So I suspect the solution may be as simple as:

new s3.Bucket(this, 'Bucket', {
  publicReadAccess: true,
  objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
})

But I haven't explicitly tested it.

That's also based on this:

Which to me, implies that just explicitly setting objectOwnership to the old default of s3.ObjectOwnership.OBJECT_WRITER sounds like it should restore the previous functionality.

We can see here that parseOwnershipControls will automatically set objectOwnership to OBJECT_WRITER when accessControl is set to a value that requires it:

  • private parseOwnershipControls(): CfnBucket.OwnershipControlsProperty | undefined {
    // Enabling an ACL explicitly is required for all new buckets.
    // https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
    const aclsThatDoNotRequireObjectOwnership = [
    BucketAccessControl.PRIVATE,
    BucketAccessControl.BUCKET_OWNER_READ,
    BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,
    ];
    const accessControlRequiresObjectOwnership = (this.accessControl && !aclsThatDoNotRequireObjectOwnership.includes(this.accessControl));
    if (!this.objectOwnership && !accessControlRequiresObjectOwnership) {
    return undefined;
    }
    if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {
    throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`);
    }
    return {
    rules: [{
    objectOwnership: this.objectOwnership ?? ObjectOwnership.OBJECT_WRITER,
    }],
    };
    }

Though if that doesn't work, then this Reddit answer suggests this:

const bucket = new s3.Bucket(this, 'WebsiteBucket', {
  // your other bucket configurations
  publicReadAccess: true,
  blockPublicAccess: new s3.BlockPublicAccess({
    blockPublicAcls: false,
    ignorePublicAcls: false,
    blockPublicPolicy: false,
    restrictPublicBuckets: false,
  }),

We can see what each of the blockPublicAccess items does here:

Originally posted by @0xdevalias in #25358 (comment)

@0xdevalias
Copy link
Contributor Author

Following up my above comment, I actually tested all of the various cdk synth output for each of the proposed options, which should give a better idea of what the current impacts are in cdk 2.84.0, and what should be changed here to properly fix things:

Edit: To add some more 'concrete evidence' (rather than assumptions) of what each of these options does (on CDK 2.84.0), here are the relevant outputs for each from cdk synth. Diff highlighting based on difference from 'Option 1':

Option 1:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
})
TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Option 2:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
+ objectOwnership: ObjectOwnership.OBJECT_WRITER,
})
TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Option 3:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
+ blockPublicAccess: new BlockPublicAccess({
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ }),
})
TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Option 4:

new Bucket(this, 'TestPublicBucket', {
- publicReadAccess: true,
+ blockPublicAccess: {
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ },
+ accessControl: BucketAccessControl.PUBLIC_READ,
})
TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   AccessControl: PublicRead
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
-TestPublicBucketPolicyB64BAA28:
-  Type: AWS::S3::BucketPolicy
-  Properties:
-    Bucket:
-      Ref: TestPublicBucket87623E53
-    PolicyDocument:
-      Statement:
-        - Action: s3:GetObject
-          Effect: Allow
-          Principal:
-            AWS: "*"
-          Resource:
-            Fn::Join:
-              - ""
-              - - Fn::GetAtt:
-                    - TestPublicBucket87623E53
-                    - Arn
-                - /*
-      Version: "2012-10-17"

Option 5:

new Bucket(this, 'TestPublicBucket', {
- publicReadAccess: true,
+ blockPublicAccess: {
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ },
+ accessControl: BucketAccessControl.PUBLIC_READ,
+ objectOwnership: ObjectOwnership.OBJECT_WRITER,
})
TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   AccessControl: PublicRead
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
-TestPublicBucketPolicyB64BAA28:
-  Type: AWS::S3::BucketPolicy
-  Properties:
-    Bucket:
-      Ref: TestPublicBucket87623E53
-    PolicyDocument:
-      Statement:
-        - Action: s3:GetObject
-          Effect: Allow
-          Principal:
-            AWS: "*"
-          Resource:
-            Fn::Join:
-              - ""
-              - - Fn::GetAtt:
-                    - TestPublicBucket87623E53
-                    - Arn
-                - /*
-      Version: "2012-10-17"

Option 6:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
+ blockPublicAccess: {
+   blockPublicAcls: false,
+   ignorePublicAcls: false,
+   blockPublicPolicy: false,
+   restrictPublicBuckets: false,
+ },
+ accessControl: BucketAccessControl.PUBLIC_READ,
+ objectOwnership: ObjectOwnership.OBJECT_WRITER,
})
TestPublicBucket87623E53:
  Type: AWS::S3::Bucket
+ Properties:
+   AccessControl: PublicRead
+   OwnershipControls:
+     Rules:
+       - ObjectOwnership: ObjectWriter
+   PublicAccessBlockConfiguration:
+     BlockPublicAcls: false
+     BlockPublicPolicy: false
+     IgnorePublicAcls: false
+     RestrictPublicBuckets: false
  UpdateReplacePolicy: Retain
  DeletionPolicy: Retain
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Resource
TestPublicBucketPolicyB64BAA28:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket:
      Ref: TestPublicBucket87623E53
    PolicyDocument:
      Statement:
        - Action: s3:GetObject
          Effect: Allow
          Principal:
            AWS: "*"
          Resource:
            Fn::Join:
              - ""
              - - Fn::GetAtt:
                    - TestPublicBucket87623E53
                    - Arn
                - /*
      Version: "2012-10-17"
  Metadata:
    aws:cdk:path: REDACTED/TestPublicBucket/Policy/Resource

Based on the above, I think the full command (until #25983 is fixed) might actually be:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
  blockPublicAccess: {
    blockPublicAcls: false,
    ignorePublicAcls: false,
    blockPublicPolicy: false,
    restrictPublicBuckets: false,
  },
  accessControl: BucketAccessControl.PUBLIC_READ,
  objectOwnership: ObjectOwnership.OBJECT_WRITER,
})

Though due to the helpers already implemented in parseOwnershipControls, I think we can currently drop objectOwnership and so probably get away with just:

new Bucket(this, 'TestPublicBucket', {
  publicReadAccess: true,
  blockPublicAccess: {
    blockPublicAcls: false,
    ignorePublicAcls: false,
    blockPublicPolicy: false,
    restrictPublicBuckets: false,
  },
  accessControl: BucketAccessControl.PUBLIC_READ,
})

Originally posted by @0xdevalias in #25358 (comment)

@Aarbel
Copy link

Aarbel commented Jul 3, 2023

For anybody who finds this issue, here what worked for us with cdk 2.83.1:

Example

bucket.grantWrite(workerNodejsFunction);
bucket.grantPutAcl(workerNodejsFunction);
  • Define well bucket props to force Acl (legacy) use

Example

    this.publicAssetsBucket = new s3.Bucket(
      this,
      "myBucket",
      {
        blockPublicAccess: new s3.BlockPublicAccess({
          blockPublicAcls: false,
          blockPublicPolicy: false,
          ignorePublicAcls: false,
          restrictPublicBuckets: false,
        }),
        objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
        ...
      }
    );

@ChenKuanSun
Copy link

Screen.Recording.2023-07-28.at.04.21.28.mov

I've also encountered this issue. I believe we should alert the user to set blockPublicAccess during development, rather than encountering an error at runtime. Thus, I've written a type check for this. If everyone agrees, I will open a PR.

@rectalogic
Copy link
Contributor

So we used to create a bucket like this:

s3.Bucket(
    self, "Bucket",
    public_read_access=True,
    enforce_ssl=True,
    removal_policy=RemovalPolicy.DESTROY,
)

After discussing this with AWS support, the correct way to create a bucket with the same permissions now, is:

s3.Bucket(
    self, "Bucket",
    public_read_access=True,
    block_public_access=s3.BlockPublicAccess(
        block_public_acls=False,
        block_public_policy=False,
        ignore_public_acls=False,
        restrict_public_buckets=False,
    ),
    object_ownership=s3.ObjectOwnership.OBJECT_WRITER,
    enforce_ssl=True,
    removal_policy=RemovalPolicy.DESTROY,
)

@awhillas
Copy link

awhillas commented Oct 1, 2023

Thanks @rectalogic ! But this is ugly! the whole point of using CDk is that there are sensible defaults for all of these permissions. Ether make this stuff default when public_read_access=True is set or make a new s3 object that does this and recommend this for ppl who don't care about fine grained control of permissions!

@mattbbc
Copy link

mattbbc commented Nov 3, 2023

I am still unable to get this to work unless I disable account-level public access block, and I'm not sure I really want to do that. I've tried various of the above permutations, including trying to append a bucket policy after bucket creation in the code, but I keep getting access denied errors at the bucket policy creation point. I would be interested to know if those that got it to work had disabled the account-level block on S3 buckets or not.

@AllanOricil
Copy link

jesus. I just wanted to make a static web page hosted on an s3 bucket. Thank you everyone for your help.

@kitsunekyo
Copy link

kitsunekyo commented May 3, 2024

in case someone else wastes a full day due to this change:

adding blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS, is enough

const websiteBucket = new s3.Bucket(this, "WebsiteBucket", {
  websiteIndexDocument: "index.html",
  publicReadAccess: true,
  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS,
});

"aws-cdk-lib": "2.140.0"

would be great if someone at aws would update the docs:
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3_deployment-readme.html

@AllanOricil
Copy link

AllanOricil commented May 3, 2024

Another thing that I noticed yesterday is that the "bucket policy" that grants the Cloudfront Origin Access identity (Cloudfront special user) access to the bucket objects (s3:GetObject) isn't being added to the bucket. Even when you declare the following in your CDK. The diff command is also not showing that this is going to be created.

    staticSiteBucket.grantRead(staticSiteOriginAccessIdentity);

    // NOTE: THIS IS REQUIRED EVEN WITH THE ABOVE LINE
    staticSiteBucket.addToResourcePolicy(
      new iam.PolicyStatement({
        actions: ["s3:GetObject"],
        resources: [staticSiteBucket.arnForObjects("*")],
        principals: [
          new iam.CanonicalUserPrincipal(
            staticSiteOriginAccessIdentity.cloudFrontOriginAccessIdentityS3CanonicalUserId
          ),
        ],
      })
    );

With the aforementioned lines, I was expecting to see this policy in the S3 Bucket, but they arent being created.

image

To get the Cloudfront Origin Access Identity ID I had to go to cloudformation and expand the list of resources of my stack.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-s3 Related to Amazon S3 effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Development

No branches or pull requests

10 participants