Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-s3): grantWrite generates s3:PutObject* (globbed) action instead of an enumeration of s3:PutObject actions #22146

Closed
raginjason opened this issue Sep 20, 2022 · 4 comments
Closed

(aws-s3): grantWrite generates s3:PutObject* (globbed) action instead of an enumeration of s3:PutObject actions #22146

raginjason opened this issue Sep 20, 2022 · 4 comments
Assignees
@otaviomacedo
Labels
@aws-cdk/aws-s3 Related to Amazon S3

Comments

@raginjason
Copy link

Describe the bug

It appears that v1.141.0/v2.10.0 introduced the following change:

  • s3: add missing safe actions to grantWrite, grantReadWrite and grantPut methods (#18494) (940d043), closes #13616

However, this does not seem to actually apply to any release in CDKv1.

Expected Behavior

cdk synth to output enumerated s3:PutObject actions. Expected output would would be something like this

  FnServiceRoleDefaultPolicyC6A839BF:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - s3:DeleteObject*
              - s3:PutObject,
              - s3:PutObjectLegalHold,
              - s3:PutObjectRetention,
              - s3:PutObjectTagging,
              - s3:PutObjectVersionTagging,
              - s3:Abort*
            Effect: Allow
            Resource:
  ...

Current Behavior

cdk synth outputs globbed s3:PutObject* actions:

  FnServiceRoleDefaultPolicyC6A839BF:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - s3:DeleteObject*
              - s3:PutObject*,
              - s3:Abort*
            Effect: Allow
            Resource:
  ...

I tested this against v1.140, v1.141 and v1.173; all generated templates look the same as above.

Reproduction Steps

Execute cdk synth | grep -A 10 '^[ ]\+FnServiceRoleDefaultPolicy' with the following app.py:

from aws_cdk import aws_s3 as s3
from aws_cdk import aws_lambda as lambda_
from aws_cdk.core import Construct, App, Stack


class TestStack(Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        bucket = s3.Bucket(
            self,
            "Bucket",
        )

        fn = lambda_.Function(
            self,
            "Fn",
            code=lambda_.Code.from_inline("import sys"),
            runtime=lambda_.Runtime.PYTHON_3_9,
            handler="main",
        )

        bucket.grant_write(fn)


app = App()
TestStack(app, "Test")

app.synth()

This outputs the following globbed s3:PutObject* action instead of the various enumerated s3:PutObject actions mentioned in #18494 :

  FnServiceRoleDefaultPolicyC6A839BF:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - s3:DeleteObject*
              - s3:PutObject*
              - s3:Abort*
            Effect: Allow
            Resource:
...

Possible Solution

No response

Additional Information/Context

This was discovered in the process of migrating our codebase from CDKv1 to CDKv2. Along the way, this generated a cdk diff with many changes like the following:

            [-]   "s3:PutObject*",
            [+]   "s3:PutObject",
            [+]   "s3:PutObjectLegalHold",
            [+]   "s3:PutObjectRetention",
            [+]   "s3:PutObjectTagging",
            [+]   "s3:PutObjectVersionTagging",

CDK CLI Version

1.173.0

Framework Version

No response

Node.js Version

v14.17.6

OS

macOS Monterey 12.6

Language

Python

Language Version

Python 3.9.6

Other information

For completeness, I also tested this with v2.0.0, v2.9.0, and v2.10.0. app.py:

from aws_cdk import aws_s3 as s3
from aws_cdk import aws_lambda as lambda_
from constructs import Construct
from aws_cdk import App, Stack


class TestStack(Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        bucket = s3.Bucket(
            self,
            "Bucket",
        )

        fn = lambda_.Function(
            self,
            "Fn",
            code=lambda_.Code.from_inline("import sys"),
            runtime=lambda_.Runtime.PYTHON_3_9,
            handler="main",
        )

        bucket.grant_write(fn)


app = App()
TestStack(app, "Test")

app.synth()

v2.0.0 and v2.9.0 output the following:

  FnServiceRoleDefaultPolicyC6A839BF:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - s3:DeleteObject*
              - s3:PutObject
              - s3:Abort*
            Effect: Allow
            Resource:
...

v2.10.0 outputs the following:

  FnServiceRoleDefaultPolicyC6A839BF:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - s3:DeleteObject*
              - s3:PutObject
              - s3:PutObjectLegalHold
              - s3:PutObjectRetention
              - s3:PutObjectTagging
              - s3:PutObjectVersionTagging
              - s3:Abort*
            Effect: Allow
            Resource:
...

The above is consistent with what I would expect from the changelog, so this appears to be CDKv1 issue.
@raginjason raginjason added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 20, 2022
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Sep 20, 2022
@peterwoodworth
Copy link
Contributor

Thanks for reporting this @raginjason,

However I'm not able to reproduce your findings. If I toggle between v1.140.0 and v1.141.0 I can see the expected difference in the Policy.

Our version tags also show the difference (v1.141.0,v1.140.0). I suspect you may have had some strange issues in your environment when migrating between different v1 versions which prevented you from seeing this change.

@peterwoodworth peterwoodworth added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed needs-triage This issue or PR still needs to be triaged. bug This issue is a bug. labels Sep 20, 2022
@raginjason
Copy link
Author

@peterwoodworth that's very odd, as I did this in a brand new environment:

python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install --upgrade pip
pip install -qq aws_cdk.aws_s3==1.141.0 aws_cdk.aws_lambda==1.141.0
npx cdk@1.141.0 synth | grep -A 10 '^[ ]\+FnServiceRoleDefaultPolicy'

Which outputs the globbed s3:PutObject* action, not the various enumerated PutObject values.

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Sep 21, 2022
@peterwoodworth
Copy link
Contributor

That's interesting, I'm still not able to reproduce this. Given this, and the fact that v1 is in maintenance mode, I'll be closing this issue out. Thanks again for reporting!

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@otaviomacedo otaviomacedo

Labels
@aws-cdk/aws-s3 Related to Amazon S3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@otaviomacedo @raginjason @peterwoodworth