Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib/aws_s3: bucket.grantReadWrite missing PutObject* actions #18669

Closed
shishkin opened this issue Jan 26, 2022 · 12 comments
Closed

aws-cdk-lib/aws_s3: bucket.grantReadWrite missing PutObject* actions #18669

shishkin opened this issue Jan 26, 2022 · 12 comments
Assignees
@peterwoodworth
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@shishkin
Copy link

What is the problem?

bucket.grantReadWrite(lambda) misses additional PutObject* actions, probably PutObjectTagging or PutObjectAcl. Issue is fixed by manually adding * after PutObject in the policy actions list.

Reproduction Steps

  1. create bucket with CDK
  2. create lambda with CDK
  3. call bucket.grantReadWrite(lambda) with CDK
  4. deploy
  5. invoke lambda that does PutObject with tags

What did you expect to happen?

If I grant lambda read and write I expect it to be able to write objects into S3

What actually happened?

AccessDenied from S3

CDK CLI Version

2.8.0

Framework Version

No response

Node.js Version

14

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response
@shishkin shishkin added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2022
@daniel-gato
Copy link

Having the same issue.

Updated from @aws-cdk/core: 1.138.0 to aws-cdk-lib: 2.7.0 and this used to work:

new s3deploy.BucketDeployment(this, 'DeployDemoTxtFiles', {
  sources: [s3deploy.Source.asset('./src/deployments/demo/')],
  exclude: ['*'],
  include: ['*.txt'],
  destinationKeyPrefix: 'public/demo/',
  destinationBucket: bucket,
  accessControl: 'PublicRead',
  contentType: 'plain/text',
});

Now we get “access denied” during deployment. Cloudwatch logs show the Lambda function does not have PutObject rights.

@peterwoodworth peterwoodworth changed the title aws-cdk-lib/aws_s3: short issue description aws-cdk-lib/aws_s3: short issue description Jan 26, 2022
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Jan 26, 2022
@shishkin shishkin changed the title aws-cdk-lib/aws_s3: short issue description aws-cdk-lib/aws_s3: bucket.grantReadWrite missing PutObject* actions Jan 26, 2022
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Jan 26, 2022
@shishkin
Copy link
Author

Apparently this is partially intentional that grantReadWrite doesn't allow all PutObject* actions: https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-s3/lib/bucket.ts#L232-L243.

Before CDK version 1.85.0, this method granted the s3:PutObject* permission that included s3:PutObjectAcl, which could be used to grant read/write object access to IAM principals in other accounts.

But there are few more PutObject* actions besides PutObjectAcl that were removed: https://docs.aws.amazon.com/AmazonS3/latest/userguide/list_amazons3.html#amazons3-actions-as-permissions.

And AWS IAM being a horrible trial-and-error mess, it's hard to figure out in advance what policy each API call needs :(

@peterwoodworth
Copy link
Contributor

peterwoodworth commented Jan 26, 2022
edited
Loading

This merge is likely the source of the error: #12391

The change in functionality should only be seen in newly created CDK projects, since the feature is gated behind a feature flag

aws-cdk/packages/@aws-cdk/cx-api/lib/features.ts

Lines 83 to 90 in 9940952

/**
* Change the old 's3:PutObject*' permission to 's3:PutObject' on Bucket,
* as the former includes 's3:PutObjectAcl',
* which could be used to grant read/write object access to IAM principals in other accounts.
* Use a feature flag to make sure existing customers who might be relying
* on the overly-broad permissions are not broken.
*/
export const S3_GRANT_WRITE_WITHOUT_ACL = '@aws-cdk/aws-s3:grantWriteWithoutAcl';

@shishkin @daniel-gato you're likely seeing the error since you've migrated to V2 which has all feature flags enabled by default. Specifically include this feature flag to disable it 🙂

@peterwoodworth peterwoodworth added guidance Question that needs advice or information. and removed @aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2022
@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. needs-reproduction This issue needs reproduction. labels Jan 26, 2022
@shishkin
Copy link
Author

shishkin commented Jan 26, 2022
edited
Loading

@peterwoodworth Thanks for pointing to the culprit, I think you're right. Just to mention that PutObjectAcl is not the only removed action. Another relevant action is PutObjectTagging. This is my lambda code that fails with AccessDenied:

  await s3.send(
    new PutObjectCommand({
      Bucket: BUCKET,
      Key: `path/to/some/file.html`,
      Tagging: new URLSearchParams({
        foo: "bar",
      }).toString(),
      ContentType: "text/html; charset=UTF-8",
      Body: html,
    })
  );

@peterwoodworth peterwoodworth added bug This issue is a bug. and removed guidance Question that needs advice or information. labels Jan 26, 2022
@peterwoodworth
Copy link
Contributor

PutObjectAcl was intentionally removed as it can potentially lead to granting unwanted permissions to individual objects. So the user will have to go out of their way to re-enable this

As for PutObjectTagging, I don't think there's a problem with that. Should be a pretty easy PR 🙂

@peterwoodworth peterwoodworth removed the needs-reproduction This issue needs reproduction. label Jan 26, 2022
@peterwoodworth
Copy link
Contributor

Looks like that's already been done actually - #18494 specifically includes PutObjectTagging

Is there anything else regarding this you need help with?

@peterwoodworth peterwoodworth added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Jan 26, 2022
@shishkin
Copy link
Author

Very cool! Look forward for this to be released 😀

@peterwoodworth
Copy link
Contributor

I'd expect the next release by the end of next week 🙂

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@daniel-gato
Copy link

@peterwoodworth Ok, thank you for the clarification. I'm very new to CDK, when you say Specifically include this feature flag to disable it 🙂: I'm not sure what to add where here. Are we speaking about the lags from your link?

@daniel-gato
Copy link

daniel-gato commented Jan 27, 2022
edited
Loading

I tried to add the flag: "@aws-cdk/aws-s3:grantWriteWithoutAcl": false and I get Error: Unsupported feature flag '@aws-cdk/aws-s3:grantWriteWithoutAcl'. This flag existed on CDKv1 but has been removed in CDKv2. CDK will now behave as the same as when the flag is enabled.

Edit, while digging in the the code of my node_modules I can see this:

    /**
     * Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
     *
     * If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl' feature flag set,
     * calling {@link grantWrite} or {@link grantReadWrite} no longer grants permissions to modify the ACLs of the objects;
     * in this case, if you need to modify object ACLs, call this method explicitly.
     *
     * @param identity The principal.
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*').
     * @stability stable
     */
    grantPutAcl(identity: iam.IGrantable, objectsKeyPattern?: string): iam.Grant;

The only sure I'm not sure now is how to retrieve the principal of the BucketDeployment to pass it to this function on my bucket.

@peterwoodworth
Copy link
Contributor

@daniel-gato I'm sorry, I hadn't realized that the feature flags in v2 are only the specific ones documented in this link, and no other feature flags are toggleable. My mistake!

Under the hood, the BucketDeployment construct creates both a lambda function and a custom resource. Both of which are written by the CDK team. So, this construct works fine for me normally on the current version. Maybe you're getting the error from somewhere else? What other infrastructure do you have in your code?

@Aarbel Aarbel mentioned this issue Jul 3, 2023
Open
@0xdevalias 0xdevalias mentioned this issue Jul 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peterwoodworth peterwoodworth

Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@shishkin @otaviomacedo @daniel-gato @kaizencc @peterwoodworth