Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[cli] deploy cannot specify S3 SSE for asset upload
See original GitHub issueReproduction Steps
- cdk bootstrap with legacy bootstrap, provide kms key id as param
- have a SCP setup that denies s3:PutObject if s3:x-amz-server-side-encryption is missing
- create a CDK app that provisions a lambda asset
- execute cdk deploy
- deploy fails and receive Access Denied error
What did you expect to happen?
i expect CDK deploy to explicitly use the kms key i specified in the bootstrap when uploading assets.
What actually happened?
cdk deploy does not provide SSE and the deploy fails with Access Denied.
It appears to be relying on the S3 default encryption instead of specifying the SSE options to the S3 put object request.
Environment
- CLI Version : 1.71.0
- Framework Version:
- Node.js Version: v12.16.1
- OS : Windows 10
- Language (Version): Python 3.8.5
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:24
- Comments:17 (5 by maintainers)
Top Results From Across the Web
aws-cdk/aws-s3-deployment module - AWS Documentation
IMPORTANT The aws-s3-deployment module is only intended to be used with zip files from trusted sources. Directories bundled by the CDK CLI (by...
Read more >Troubleshoot IAM-related Access Denied errors in Amazon S3
If the IAM user has the correct permissions to upload to the bucket, then check the following policies for settings that are preventing...
Read more >ember-cli-deploy-s3 - npm
This plugin uploads one or more files to an Amazon S3 bucket. It could be used to upload the assets (js, css, images...
Read more >circleci/aws-s3@3.1.1
Integrate Amazon AWS S3 with your CircleCI CI/CD pipeline easily with the ... The aws-cli is installed when this parameter is set to...
Read more >aws_s3_bucket_object | Resources | hashicorp/aws
If you prefer to not have Terraform recreate the object, import the object using aws_s3_object . ... Server Side Encryption with S3 Default...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Adding onto this, this is a strange feature to leave out considering it exists in other AWS-provided tools. This is a fairly common SCP in larger environments.
Are there any plans on adding an argument to
cdk deployto fix this?