Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[cli] deploy cannot specify S3 SSE for asset upload

See original GitHub issue

Reproduction Steps

  1. cdk bootstrap with legacy bootstrap, provide kms key id as param
  2. have a SCP setup that denies s3:PutObject if s3:x-amz-server-side-encryption is missing
  3. create a CDK app that provisions a lambda asset
  4. execute cdk deploy
  5. deploy fails and receive Access Denied error

What did you expect to happen?

i expect CDK deploy to explicitly use the kms key i specified in the bootstrap when uploading assets.

What actually happened?

cdk deploy does not provide SSE and the deploy fails with Access Denied. It appears to be relying on the S3 default encryption instead of specifying the SSE options to the S3 put object request.


  • CLI Version : 1.71.0
  • Framework Version:
  • Node.js Version: v12.16.1
  • OS : Windows 10
  • Language (Version): Python 3.8.5


This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:24
  • Comments:17 (5 by maintainers)

github_iconTop GitHub Comments

openfinchcommented, May 24, 2021

Adding onto this, this is a strange feature to leave out considering it exists in other AWS-provided tools. This is a fairly common SCP in larger environments.

cagdas-carboncommented, Sep 30, 2021

Are there any plans on adding an argument to cdk deploy to fix this?

Read more comments on GitHub >

github_iconTop Results From Across the Web

aws-cdk/aws-s3-deployment module - AWS Documentation
IMPORTANT The aws-s3-deployment module is only intended to be used with zip files from trusted sources. Directories bundled by the CDK CLI (by...
Read more >
Troubleshoot IAM-related Access Denied errors in Amazon S3
If the IAM user has the correct permissions to upload to the bucket, then check the following policies for settings that are preventing...
Read more >
ember-cli-deploy-s3 - npm
This plugin uploads one or more files to an Amazon S3 bucket. It could be used to upload the assets (js, css, images...
Read more >
Integrate Amazon AWS S3 with your CircleCI CI/CD pipeline easily with the ... The aws-cli is installed when this parameter is set to...
Read more >
aws_s3_bucket_object | Resources | hashicorp/aws
If you prefer to not have Terraform recreate the object, import the object using aws_s3_object . ... Server Side Encryption with S3 Default...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found