Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CloudFront config option to opt-out of updating origin bucket policy when passing OAI

See original GitHub issue

In the AWS console you can choose option for CloudFront to not update origin s3 bucket policy with read permissions.

The CDK Cloudfront tries to update bucket policy without giving an option to opt-out. Here is the related code. https://github.com/aws/aws-cdk/blob/b3abc681b97a385be83c6efd2fe3e6eb57933e77/packages/%40aws-cdk/aws-cloudfront/lib/web_distribution.ts#L702

if (originConfig.s3OriginSource) {
        // first case for backwards compatibility
        if (originConfig.s3OriginSource.originAccessIdentity) {
          // grant CloudFront OriginAccessIdentity read access to S3 bucket
          originConfig.s3OriginSource.s3BucketSource.grantRead(originConfig.s3OriginSource.originAccessIdentity);

          s3OriginConfig = {
            originAccessIdentity:
              `origin-access-identity/cloudfront/${
              originConfig.s3OriginSource.originAccessIdentity.originAccessIdentityName
            }`
          };
        } else {
          s3OriginConfig = {};
        }
      }

Use Case

We have a use case were we need manage the bucket policy specifically for our automation to work properly.

Proposed Solution

Is it possible to pass a flag on S3OriginConfig interface, something like -

const distibutionConfig: CloudFrontWebDistributionProps = {
            webACLId,
            originConfigs: [
                {

                    s3OriginSource: {
                        s3BucketSource: bucket,
                        originAccessIdentity,
                        updateBucketPolicy: false // true by default
                    },
                    behaviors: [{ isDefaultBehavior: true }]
                }
            ],
            aliasConfiguration
        };

.......
......
# web_distribution.ts

if (originConfig.s3OriginSource) {
        // first case for backwards compatibility
        if (originConfig.s3OriginSource.originAccessIdentity ) {
                if(originConfig.s3OriginSource.updateBucketPolicy) {
                               // grant CloudFront OriginAccessIdentity read access to S3 bucket  
 originConfig.s3OriginSource.s3BucketSource.grantRead(originConfig.s3OriginSource.originAccessIdentity);
          }


......
......

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:14 (4 by maintainers)

Top GitHub Comments

1reaction

njlynchcommented, Dec 15, 2020

@maoosi - A flag, as originally described, could work. I would be willing to accept PRs to that effect.

The other approach I see would be to alter the input into the (CloudFrontWeb)Distribution to prevent the policy from changing. Something like this:

class ImmutablePermissionsBucket extends s3.Bucket {
  public grantRead(identity: iam.IGrantable, _objectsKeyPattern?: any): iam.Grant {
    return iam.Grant.drop(identity, ''); // Silently does nothing.
  }
}
///
          s3OriginSource: {
            s3BucketSource: new ImmutablePermissionsBucket(this, 'Bucket', { /* */ }),
            originAccessIdentity,
          },

0reactions

SupaFuturecommented, Mar 23, 2022

Note that the newer Distribution construct does not automatically set the bucket policy, so if switching to that is possible then that might solve the problem.

It does in CDK version 2.9.0 in Python.

Alternatively, you can override the Bucket PolicyDocument, with the add_property_override method of the isolated CfnResource

For example, I wanted my OAI to access only 2 specific folders of my S3Origin :


    bucket=s3.Bucket(self, "s3bucket", 
        bucket_name='my-bucket'
    )

    origin_access_identity = cloudfront.OriginAccessIdentity(self, "OAIS3Cloudfront",
        comment="Access S3 from Cloudfront"
    )

    origin=origins.S3Origin(bucket,
        origin_access_identity=origin_access_identity
    )

    distribution=cloudfront.Distribution(self,
        "cloudfront_distribution",
        default_behavior=cloudfront.BehaviorOptions(
            origin=origin,
            allowed_methods=cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
            cached_methods=cloudfront.CachedMethods.CACHE_GET_HEAD_OPTIONS
        )
    )

    new_bucket_policy = iam.PolicyDocument(
        statements=[iam.PolicyStatement(
            actions=["s3:GetObject"],
            resources=[bucket.arn_for_objects("static/*"), bucket.arn_for_objects("media/*")],
            principals=[origin_access_identity.grant_principal]
        )]
    )

    cfn_bucket_policy = bucket.policy.node.find_child("Resource")
    cfn_bucket_policy.add_property_override('PolicyDocument', value=new_bucket_policy)