CDK allows creation of malformed S3 bucket policy
See original GitHub issueThe CDK s3 bucket.addToResourcePolicy
method allows the creation of a malformed resource policy, which for some reason validates ok when importing into service catalog, but then fails when the stack is deployed.
Reproduction Steps
I was assuming that running the addToResourcePolicy call on a bucket would automatically apply that policy to the bucket since it was a method of the bucket itself so I created the following typescript code.
cdk synth
works fine and you even get the green checkbox if you upload it to service catalog meaning it passed cloudformation validation.
const buildBucket = new s3.Bucket(this, 'BUILDBUCKET');
buildBucket.addToResourcePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [
new iam.AccountPrincipal('123456789012')
],
actions : [
"s3:*"
]
}));
Error Log
Attempting to actually deploy the service catalog entry results in the following error:
Statement is missing required element (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 12345; S3 Extended Request ID: 12345
Environment
- **CLI Version :aws-cli/1.16.309 Python/3.6.0 Windows/10 botocore/1.13.45
- **Framework Version:1.27.0
- **OS :Windows 10
- **Language :Typescript
Other
The correct code that will not throw a cloudformation error on deployment is below:
buildBucket.addToResourcePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [
new iam.AccountPrincipal('123456789012')
],
actions : [
"s3:*"
],
resources: [
buildBucket.bucketArn
]
}));
I feel that instead of passing cdk synth
the first example I gave above should throw the malformed policy error at synth time instead of synthesizing a broken stack that will be rejected by a cloudformation deployment action. I’m not sure why typescript doesn’t complain if you don’t add a resources block since this resource is not automatically applied to the bucket that I called the addToResourcePolicy() call from.
The other option would be to have CDK automatically apply this policy to the bucket if the resources section is missing from the policy.
Also, one more thing to note: even the above policy will not really work as it’s missing the /*
from the arn. To really work properly, it needs to be:
buildBucket.addToResourcePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [
new iam.AccountPrincipal('123456789012')
],
actions : [
"s3:*"
],
resources: [
buildBucket.bucketArn + '/*'
]
}));
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:7 (5 by maintainers)
Top GitHub Comments
Hello, I’ve spent hours troubleshooting this until i hit this post, after reading this back and forth. (python cdk)
How about a simple warning implementation until a permanent solution is in place.
Doing this for starters so the end-user through the CDK can get some sort of hint in relation to what is going on.
Present during the synth pre/post informing of requirements for CDK?
Bumping as I also lost some time to this just today.
Seems to me that the expected behavior in this case for s3 buckets is not to error. Instead, if the
resources
block isn’t specified, then the method should supplyself.bucketArn + '/*'
itself.