(deploy): (deploying bootstrap stack errors out with The bucket does not allow ACLs CFN error)

[n-tucker]

Describe the bug

We're trying to update the CDK bootstrap stack in one of our AWS accounts and recently we've started seeing the above error when trying to deploy one of the S3 buckets

When I check the template provided here, I can see that this is using the legacy AccessControl property.

I'm not sure if I'm missing something, but I'm confused why this property is still being set if this is causing issues? I'm happy to contribute a fix if this is a problem, but I first wanted to confirm if I'm on the right track! 😄

Expected Behavior

I should be able to update the bootstrap stack without issues

Current Behavior

I receive an error when I try and update the bootstrap stack

Reproduction Steps

Run cdk bootstrap --template cloudformation.yaml

Possible Solution

Removing the AccessControl property, this guide seems to suggest using ObjectOwnership

Additional Information/Context

We do run a custom bootstrap template, however this doesn't touch any of the S3 bucket resources

CDK CLI Version

2.86.0

Framework Version

No response

Node.js Version

18.16.1

OS

Mac Ventura 13.6

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hi @n-tucker ,thanks for reaching out. As mentioned in the CDK Docs here, it was updated quite a while ago.

By default, Object Ownership is set to the Bucket owner enforced setting and all ACLs are disabled. When ACLs are disabled, the bucket owner owns all the objects in the bucket and manages access to data exclusively using access management policies.

This is the recommended now and the solution shared by you also stands right. Hope that would be helpful!

[n-tucker]

Thanks for getting back to me! I'm still unsure as to whether the current bootstrap template needs to be updated?

Based on the info provided in your previous comment, it sounds like disabling ACLs in favour of using OwnershipControls is the way forward? However this isn't currently done in the CDK bootstrap template.

Could you confirm if something needs to changed with the bootstrap template, or if I'm doing something wrong in the bootstrap process?

[pahud]

2.86.0

Is there any reason using 2.86.0 as this has been a while.

I just bootstrap us-west-2 with the latest CDK CLI and it works with no error.

[scanlonp]

Related #27764.

[n-tucker]

I just tried re-bootstrapping with 2.86.0 and it worked

I'm not sure why the previous errors were appearing, perhaps someone in my team was messing around with something else? I'm happy to close this issue, thanks again for all the help on this! 🙇

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[kyleparisi]

Based on this thread, I think something did break for the things that were bootstapped with acls. My resolution was to skip the bootstrap command, continue using deploy, in our automation (at the expense of probably my future self) and add the following bucket prop:

objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,

The alternative, I'm guessing, would be to do a destroy/up with the appropriate non-acl settings.

[prazian]

Upgrading from 2.106.0 to 2.124.0 fixed the issue for me.

2.106.0 was the version in the scaffolding code created by the cdk init app --language typescript command (just now) for this new project.