Skip to content

Commit

Permalink
fix(synthetics): correct getbucketlocation policy (aws#13573)
Browse files Browse the repository at this point in the history 
When using synthetics runtime "syn-nodejs-puppeteer-3.1" the default role tries to call s3:getBucketLocation on the artifacts bucket, but the policy is incorrect to allow that action.

The policy should allow for that call directly on the bucket arn.

fixes aws#13572


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@csumpter @TikiTDO
csumpter authored and TikiTDO committed Feb 21, 2022
1 parent d1e1dcf commit 37e99a0
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 29 deletions.
6 changes: 5 additions & 1 deletion packages/@aws-cdk/aws-synthetics/lib/canary.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -299,9 +299,13 @@ export class Canary extends cdk.Resource {
resources: ['*'],
actions: ['s3:ListAllMyBuckets'],
}),
new iam.PolicyStatement({
resources: [this.artifactsBucket.bucketArn],
actions: ['s3:GetBucketLocation'],
}),
new iam.PolicyStatement({
resources: [this.artifactsBucket.arnForObjects(`${prefix ? prefix+'/*' : '*'}`)],
actions: ['s3:PutObject', 's3:GetBucketLocation'],
actions: ['s3:PutObject'],
}),
new iam.PolicyStatement({
resources: ['*'],
Expand Down
30 changes: 22 additions & 8 deletions packages/@aws-cdk/aws-synthetics/test/integ.asset.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryArtifactsBucket89975E6D",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -197,10 +204,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryArtifactsBucket89975E6D",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down
75 changes: 55 additions & 20 deletions packages/@aws-cdk/aws-synthetics/test/integ.canary.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"mytestbucket8DC16178",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -210,10 +217,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryOneArtifactsBucketDF4A487D",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -424,10 +438,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryTwoArtifactsBucket79B179B6",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -638,10 +659,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyCanaryThreeArtifactsBucket894E857E",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down Expand Up @@ -852,10 +880,17 @@
"Resource": "*"
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Action": "s3:GetBucketLocation",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyPythonCanaryArtifactsBucket7AE88133",
"Arn"
]
}
},
{
"Action": "s3:PutObject",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
Expand Down

0 comments on commit 37e99a0

Please sign in to comment.