aws-cdk: S3 set publicReadAccess: true, fails deploy because of default deny public access policy #29564
Assignees
Labels
@aws-cdk/aws-s3
Related to Amazon S3
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p1
Comments
irobinsonDandH
added
bug
Yes we should do that with either of the suggested solutions. At this moment the CFN is returning 403.
|
pahud
added
p1
effort/medium
1 task
mergify bot
pushed a commit
that referenced
this issue
May 28, 2024
…ied 403 (#29632) ### Issue # (if applicable) Closes #29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
atanaspam
pushed a commit
to atanaspam/aws-cdk
that referenced
this issue
Jun 3, 2024
…ied 403 (aws#29632) ### Issue # (if applicable) Closes aws#29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Same issue here. This is confusing and hard to understand how to fix unless you find this issue. |
vdahlberg
pushed a commit
to vdahlberg/aws-cdk
that referenced
this issue
Jun 10, 2024
…ied 403 (aws#29632) ### Issue # (if applicable) Closes aws#29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
So, if you make a new s3 bucket
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.
Expected Behavior
So if you make a new s3 bucket
it will create the s3 bucket with the policy and set the deny public access to false for all 4 options
Current Behavior
Fails with access denied error while creating the bucket and doesn't say that it's because of the policy.
Reproduction Steps
Use the following code changing the bucket name to something unique.
npx cdk deploy app
Possible Solution
A possible solution would be if you use publicReadAccess: true set all blockPublicAccess to false implicitly same if you use the grantPublicAccess() function.
or state in the documentation that you have to set blockPublicAceess to false and give a better error back.
blockPublicAccess: {
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets:false,
}
Additional Information/Context
No response
CDK CLI Version
2.124
Framework Version
No response
Node.js Version
18
OS
Debian
Language
TypeScript
Language Version
5.3.3
Other information
Current workaround is adding
blockPublicAccess: {
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets:false,
}
The text was updated successfully, but these errors were encountered: