Support for publishing to buckets in different AWS accounts

[tkent]

👋 Hello - thanks for this great tool!

2020-04-05 Update: After trying to some combinations to make cross-account access work reliably, I've updated the description and suggested fix.

The Situation

Cross account access doesn't work if you publish artifacts from an account other than the bucket owner's account. There are two problems:

1. Objects added to the bucket by a principal in an external account are owned by the external account. As a result, any Get* action policies in the owning account won't work for those objects.
2. If there is a default encryption policy on the bucket, the per account/region aws/s3 key of the principal in the external account is used to encrypt the object. That means that at least decrypt access to that default key would be needed for all principals that should access the bucket (which is very messy).

For problem 1, if the ACL value could be specified, then that would allow users to avoid the issue. They could specify the canned ACL bucket-owner-full-control, which would remove the problem [1].

For problem 2, if the SSEKMSKeyId value could be specified, then users could specify a dedicated shared key encryption. That would allow encryption to happen and things to remain fairly easy to manage.

Suggested Solutions

FWIW, after going though the exercise of getting cross-account publishing working, I don't know if you should ever support it. I think the better solution is to just clearly document that publishing from a principal in a different account is not recommended due to these issues.

It's completely possible to get around the issues as described above, but just assuming a role in the owning account is much easier.

(note, this is probably related to #72)

[AndrewFarley]

So note/hint for anyone else running on this, in order to achieve this properly on a private bucket, I had to...

• Create a bucket policy which allowed the other accounts to use this bucket
• Ensure your bucket does not have encryption required/automatically and do not upload files with encryption (was too painful to get working multi-account)
• Since the s3 push plugin does not support --grants I have to upload with --acl bucket-owner-full-control
• Then I had to use a bit of a trick to copy in-place to add multi-account access via --grants per-file with the following command.

aws s3 cp --recursive s3://s3-reponame-here/helm-charts/ s3://s3-reponame-here/helm-charts/ --grants full=id=redacted_account_canonical_id_here full=id=redacted_account_2_canonical_id_here full=id=redacted_account_3_canonical_id_here --metadata '{"x-last-updated-at":"`date +%s`"}'

^ Note you may not want all your accounts to have full access as I do above, use "read" instead where relevant

For relevance to this specific bug report/feature request, this plugin needs to support --grants just like aws s3 cli does in order to grant multi-account access properly.