❗ NOTICE: Policy has invalid action (Service: S3, Status Code: 400,

[davekerber]

Please add your +1 👍 to let us know you have encountered this

Status: RESOLVED

Overview:

An incorrect action was previously added to the policy attached when calling bucket.grantRead based on an incorrect interpretation of an error message. This PR has been reverted and is awaiting release.

Complete Error Message:

Resource handler returned message: "Policy has invalid action (Service: S3, Status Code: 400, ....

Workaround:

Downgrade to 2.100.0 of aws-cdk-lib if encountering this error.

Solution:

Root cause PR has been reverted and a patch release is out v2.101.1

Related Issues:

#27389
#27564

Original Issue:

s3: Invalid Action Added When Using bucket.grantRead

Describe the bug

With this CDK code:

import { Bucket } from "aws-cdk-lib/aws-s3";
import { OriginAccessIdentity } from "aws-cdk-lib/aws-cloudfront";

...

const uiBucket = new Bucket(this, "uiBucket", {...})
const cloudFrontOAI = new OriginAccessIdentity(this, "OAI");
uiBucket.grantRead(cloudFrontOAI.grantPrincipal);

When updating from 2.100.0 to 2.101.0 and deploying the same stack I get this output:

IAM Statement Changes
┌───┬────────────────────┬────────┬────────────────────┬────────────────────┬───────────┐
│   │ Resource           │ Effect │ Action             │ Principal          │ Condition │
├───┼────────────────────┼────────┼────────────────────┼────────────────────┼───────────┤
│ - │ ${uiBucket.Arn}    │ Allow  │ s3:GetBucket*      │ CanonicalUser:${OA │           │
│   │ ${uiBucket.Arn}/*  │        │ s3:GetObject*      │ I.S3CanonicalUserI │           │
│   │                    │        │ s3:List*           │ d}                 │           │
├───┼────────────────────┼────────┼────────────────────┼────────────────────┼───────────┤
│ + │ ${uiBucket.Arn}    │ Allow  │ s3:GetBucket*      │ CanonicalUser:${OA │           │
│   │ ${uiBucket.Arn}/*  │        │ s3:GetObject*      │ I.S3CanonicalUserI │           │
│   │                    │        │ s3:HeadObject      │ d}                 │           │
│   │                    │        │ s3:List*           │                    │           │
└───┴────────────────────┴────────┴────────────────────┴────────────────────┴───────────┘

Then the deployment fails with the error:

"Policy has invalid action (Service: S3, Status Code: 400,

It looks related to #27389.

I can't find s3:HeadObject in the docs (https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) and the console will not let me create a policy with that permission.

Should this have been s3:GetObjectAttributes instead?

Expected Behavior

bucket.grantRead should not add invalid actions to a policy.

Current Behavior

bucket.grantRead adds the invalid action s3:HeadObject to the policy.

Reproduction Steps

import { Bucket } from "aws-cdk-lib/aws-s3";
import { OriginAccessIdentity } from "aws-cdk-lib/aws-cloudfront";

...

const uiBucket = new Bucket(this, "uiBucket", {...})
const cloudFrontOAI = new OriginAccessIdentity(this, "OAI");
uiBucket.grantRead(cloudFrontOAI.grantPrincipal);

Possible Solution

Perhaps change s3:HeadObject to s3:GetObjectAttributes ?

Additional Information/Context

No response

CDK CLI Version

2.97.0

Framework Version

2.101.0

Node.js Version

18.18.0

OS

Ubuntu

Language

TypeScript

Language Version

5.2.2

Other information

No response

[davekerber]

Also verified this is still happens with v2.101.0 of the CDK CLI.

[givsly-stephen]

Same here with v2.101.0 of the CDK CLI

[Khoulaiz]

related to #27542

[leejh10003]

+1 Having the exact same issue

[andresionek91]

Same issue here:

Resource handler returned message: "Policy has invalid action (Service: S3, Status Code: 400, ....

[mbeacom]

Reverted in #27556 -- once the next release is published, the error shouldn't persist.

[davekerber]

@mbeacom thanks!

[plumdog]

Glad to see there's a fix.

This has been particularly ugly for me as this seems to break any aws-cdk-lib.pipelines pipeline, due to https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines-readme.html, "CDK CLI version to use in self-mutation and asset publishing steps." which defaults to "Latest version".

Setting that to 2.100.0 doesn't fix the issue as the pipeline first has to mutate itself, which it is trying to do with npm install -g aws-cdk@2, which at present is 2.101.0, which is broken.

[MrArnoldPalmer]

@plumdog yikes... sorry about that. Patch should be out shortly. The cliVersion passed in the pipeline should be used by the install step in self-mutate.

EDIT: Oh but I just realized before it self-mutates, it's defaulting to latest cause you can't update it.... yeah, patch incoming shortly 😢

[plumdog]

@MrArnoldPalmer indeed! I was able to mitigate by:

• setting cliVersion: '2.100.0' and pushing
• pipeline fails in selfmutate
• manually doing the self-mutate on the self-mutate step, eg changing npm install -g aws-cdk@2 to npm install -g aws-cdk@2.100.0
• re-running the pipeline

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.