aws-cdk-lib/aws_s3: bucket.grantReadWrite missing PutObject* actions
See original GitHub issueWhat is the problem?
bucket.grantReadWrite(lambda)
misses additional PutObject*
actions, probably PutObjectTagging
or PutObjectAcl
. Issue is fixed by manually adding *
after PutObject
in the policy actions list.
Reproduction Steps
- create bucket with CDK
- create lambda with CDK
- call
bucket.grantReadWrite(lambda)
with CDK - deploy
- invoke lambda that does PutObject with tags
What did you expect to happen?
If I grant lambda read and write I expect it to be able to write objects into S3
What actually happened?
AccessDenied from S3
CDK CLI Version
2.8.0
Framework Version
No response
Node.js Version
14
OS
MacOS
Language
Typescript
Language Version
No response
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:12 (5 by maintainers)
Top Results From Across the Web
Amazon S3 actions - Amazon Simple Storage Service
The following example bucket policy grants the s3:PutObject and the s3:PutObjectAcl permissions to a user (Dave). If you remove the Principal element, ...
Read more >S3 Bucket action doesn't apply to any resources - Stack Overflow
Simply it means that the action (you wrote in policy) doesn't apply to the resource. I was trying to make public my bucket...
Read more >Allows Read and Write Access to a Specific S3 Bucket.
An IAM policy that allows Read and Write access to a specific S3 bucket. This policy provides the permissions necessary to complete this...
Read more >Allows read and write access to objects in an S3 Bucket ...
The AllObjectActions statement allows the GetObject , DeleteObject , PutObject , and any other Amazon S3 action that ends with the word "Object"....
Read more >Troubleshoot IAM-related Access Denied errors in Amazon S3
An AWS Identity and Access Management (IAM) user has permission to the s3:PutObject action on my Amazon Simple Storage Service (Amazon S3) bucket....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Looks like that’s already been done actually - https://github.com/aws/aws-cdk/pull/18494 specifically includes
PutObjectTagging
Is there anything else regarding this you need help with?
@daniel-gato I’m sorry, I hadn’t realized that the feature flags in v2 are only the specific ones documented in this link, and no other feature flags are toggleable. My mistake!
Under the hood, the BucketDeployment construct creates both a lambda function and a custom resource. Both of which are written by the CDK team. So, this construct works fine for me normally on the current version. Maybe you’re getting the error from somewhere else? What other infrastructure do you have in your code?