Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

aws-s3: grantPut not working as advertised

See original GitHub issue

The grantPut method documentation reads:

Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.

If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

Reproduction Steps

const function = new lambda.Function(this, "FunkyTown", {...});
const bucket = new s3.Bucket(this, "AWholeLotOfBucket");
bucket.grantPut(function);

What did you expect to happen?

To add action s3:PutObject* thus:

Action:
  - s3:PutObject*
  - s3:Abort*
Effect: Allow
Resource:
  Fn::Join:
    - ""
    - - Fn::GetAtt:
          - AWholeLotOfBucketA765543B
          - Arn
      - /*

What actually happened?

Action:
  - s3:PutObject
  - s3:Abort*
Effect: Allow
Resource:
  Fn::Join:
    - ""
    - - Fn::GetAtt:
          - AWholeLotOfBucketA765543B
          - Arn
      - /*

Environment

  • **CDK CLI Version : 1.93.0
  • **Framework Version: 1.93.0
  • **Node.js Version: v14.16.0
  • **OS : Amazon Linux release 2 (Karoo)
  • **Language (Version): 3.9.9

Other

Link to docs: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html#grantwbrputidentity-objectskeypattern Link to original PR: https://github.com/aws/aws-cdk/pull/591

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
iliapolocommented, Mar 16, 2021

We don’t currently have a request for those policies. But you are welcome to be the first to make it 😃

1reaction
iliapolocommented, Mar 16, 2021

@PhilKershaw We decided against using * because it winds up granting PubObjectAcl - which is undesirable in most cases.

You can have a look at this PR for more context.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CDK - ECS task can't access S3 bucket : r/aws - Reddit
My goal is to deploy an ecs cluster which reads and writes files to an S3 bucket. But i always get an access...
Read more >
s3.Bucket - AWS Documentation - Amazon.com
No information is available for this page.
Read more >
10 things you should know about using AWS S3 - Sumo Logic
Learn how to optimize Amazon S3 with top tips and best practices. Bucket limits, transfer speeds, storage costs, and more – get answers...
Read more >
A Step-by-Step Guide to Secure and Protect AWS S3 Buckets
Securing S3 buckets isn't complicated, which may be why it's often neglected. Here we walk through the process to protect AWS S3 buckets ......
Read more >
Troubleshooting Amazon AWS S3 REST API Log Source ...
Environment: All JSA versions. Diagnosing the problem: Verify that the certificate that is on the whitelist does not intersect with the server certificate...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(aws-ecs): ECS Exec Support

Next page

(custom-resources): AwsCustomResource ignores the configured role if a prior instance was already instantiated