From 5a72897418a3c65d63725a878b51d0704b4790ac Mon Sep 17 00:00:00 2001 From: Cameron Sumpter Date: Fri, 12 Mar 2021 12:59:39 -0500 Subject: [PATCH] fix(synthetics): correct getbucketlocation policy When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action. The policy should allow for that call directly on the bucket arn. fixes #13572 --- .../@aws-cdk/aws-synthetics/lib/canary.ts | 6 ++- .../test/integ.asset.expected.json | 30 +++++++++---- .../test/integ.canary.expected.json | 45 ++++++++++++++----- 3 files changed, 60 insertions(+), 21 deletions(-) diff --git a/packages/@aws-cdk/aws-synthetics/lib/canary.ts b/packages/@aws-cdk/aws-synthetics/lib/canary.ts index 72d4b311ce6e3..764580c77c02c 100644 --- a/packages/@aws-cdk/aws-synthetics/lib/canary.ts +++ b/packages/@aws-cdk/aws-synthetics/lib/canary.ts @@ -349,9 +349,13 @@ export class Canary extends cdk.Resource { resources: ['*'], actions: ['s3:ListAllMyBuckets'], }), + new iam.PolicyStatement({ + resources: [this.artifactsBucket.bucketArn], + actions: ['s3:GetBucketLocation'], + }), new iam.PolicyStatement({ resources: [this.artifactsBucket.arnForObjects(`${prefix ? prefix+'/*' : '*'}`)], - actions: ['s3:PutObject', 's3:GetBucketLocation'], + actions: ['s3:PutObject'], }), new iam.PolicyStatement({ resources: ['*'], diff --git a/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json b/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json index 7d614f08201b7..256de95e7be25 100644 --- a/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json +++ b/packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json @@ -41,10 +41,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryArtifactsBucket89975E6D", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ @@ -197,10 +204,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryArtifactsBucket89975E6D", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ diff --git a/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json b/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json index 58412fee9bfbb..37c351b1186d7 100644 --- a/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json +++ b/packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json @@ -30,10 +30,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "mytestbucket8DC16178", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ @@ -163,10 +170,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryOneArtifactsBucketDF4A487D", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [ @@ -330,10 +344,17 @@ "Resource": "*" }, { - "Action": [ - "s3:PutObject", - "s3:GetBucketLocation" - ], + "Action": "s3:GetBucketLocation", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "MyCanaryTwoArtifactsBucket79B179B6", + "Arn" + ] + } + }, + { + "Action": "s3:PutObject", "Effect": "Allow", "Resource": { "Fn::Join": [