Skip to content

Commit

Permalink
fix(synthetics): correct getbucketlocation policy
Browse files Browse the repository at this point in the history 
When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action.

The policy should allow for that call directly on the bucket arn.

fixes aws#13572
  • Loading branch information
Cameron Sumpter committed Mar 12, 2021
1 parent 165a3d8 commit 5a72897
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 21 deletions.
6 changes: 5 additions & 1 deletion packages/@aws-cdk/aws-synthetics/lib/canary.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,9 +349,13 @@ export class Canary extends cdk.Resource {
resources: ['*'],
actions: ['s3:ListAllMyBuckets'],
}),
new iam.PolicyStatement({
resources: [this.artifactsBucket.bucketArn],
actions: ['s3:GetBucketLocation'],
}),
new iam.PolicyStatement({
resources: [this.artifactsBucket.arnForObjects(`${prefix ? prefix+'/*' : '*'}`)],
actions: ['s3:PutObject', 's3:GetBucketLocation'],
actions: ['s3:PutObject'],
}),
new iam.PolicyStatement({
resources: ['*'],
Expand Down
30 changes: 22 additions & 8 deletions packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryArtifactsBucket89975E6D",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -197,10 +204,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryArtifactsBucket89975E6D",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down
45 changes: 33 additions & 12 deletions packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"mytestbucket8DC16178",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -163,10 +170,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryOneArtifactsBucketDF4A487D",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -330,10 +344,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryTwoArtifactsBucket79B179B6",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down

0 comments on commit 5a72897

Please sign in to comment.