-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-cdk: S3 set publicReadAccess: true, fails deploy because of default deny public access policy #29564
Comments
Yes we should do that with either of the suggested solutions. At this moment the CFN is returning 403.
|
…ied 403 (#29632) ### Issue # (if applicable) Closes #29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Same issue here. This is confusing and hard to understand how to fix unless you find this issue. |
…ied 403 (aws#29632) ### Issue # (if applicable) Closes aws#29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
So, if you make a new s3 bucket
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.
Expected Behavior
So if you make a new s3 bucket
it will create the s3 bucket with the policy and set the deny public access to false for all 4 options
Current Behavior
Fails with access denied error while creating the bucket and doesn't say that it's because of the policy.
Reproduction Steps
Use the following code changing the bucket name to something unique.
npx cdk deploy app
Possible Solution
A possible solution would be if you use publicReadAccess: true set all blockPublicAccess to false implicitly same if you use the grantPublicAccess() function.
or state in the documentation that you have to set blockPublicAceess to false and give a better error back.
blockPublicAccess: {
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets:false,
}
Additional Information/Context
No response
CDK CLI Version
2.124
Framework Version
No response
Node.js Version
18
OS
Debian
Language
TypeScript
Language Version
5.3.3
Other information
Current workaround is adding
blockPublicAccess: {
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets:false,
}
The text was updated successfully, but these errors were encountered: