Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(s3): missing actions in grantWrite for multipart uploads #26185

Closed
Wurstnase opened this issue Jun 30, 2023 · 4 comments
Closed

(s3): missing actions in grantWrite for multipart uploads #26185

Wurstnase opened this issue Jun 30, 2023 · 4 comments
Labels
@aws-cdk/aws-s3 Related to Amazon S3 closing-soon This issue will automatically close in 4 days unless further comments are made. feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@Wurstnase
Copy link
Contributor

Describe the bug

Multipart uploads are not possible with bucket.grantWrite(grantable).

Expected Behavior

grantWrite should add following actions to allow multipart uploads

  "s3:AbortMultipartUpload",
  "s3:GetObject",
  "s3:ListBucketMultipartUploads",
  "s3:ListMultipartUploadParts",
  "s3:PutObject"

Current Behavior

grantWrite add following actions to a grantable.

"s3:Abort*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"

Reproduction Steps

from aws_cdk import App
from aws_cdk import Environment
from aws_cdk import Stack
from aws_cdk import aws_iam as iam
from aws_cdk import aws_s3 as s3
from constructs import Construct


class Example(Stack):
    def __init__(
        self,
        scope: Construct,
        id: str,
        **kwargs,
    ) -> None:
        super().__init__(scope, id, **kwargs)

        bucket = s3.Bucket.from_bucket_name(self, "Bucket", bucket_name="foobar")
        role = iam.Role(self, "Role", assumed_by=iam.AnyPrincipal())

        bucket.grant_write(role)

app = App()
Example(app, "Example", env=Environment(region="us-east-1"))
app.synth()
Template

Metadata removed.

{
 "Resources": {
  "Role1ABCC5F0": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "AWS": "*"
       }
      }
     ],
     "Version": "2012-10-17"
    }
   }
  },
  "RoleDefaultPolicy5FFB7DAB": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "s3:Abort*",
        "s3:DeleteObject*",
        "s3:PutObject",
        "s3:PutObjectLegalHold",
        "s3:PutObjectRetention",
        "s3:PutObjectTagging",
        "s3:PutObjectVersionTagging"
       ],
       "Effect": "Allow",
       "Resource": [
        "arn:aws:s3:::foobar",
        "arn:aws:s3:::foobar/*"
       ]
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "RoleDefaultPolicy5FFB7DAB",
    "Roles": [
     {
      "Ref": "Role1ABCC5F0"
     }
    ]
   }
  }
 }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.85.0

Framework Version

2.85.0

Node.js Version

OS

Language

Python

Language Version

Python (3.10.12)

Other information

No response
@Wurstnase Wurstnase added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 30, 2023
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Jun 30, 2023
@peterwoodworth
Copy link
Contributor

grantWrite should add following actions to allow multipart uploads

"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutObject"

Like you said, it grants PutObject and Abort* already, so two of these are already covered. The others aren't writing operations, so they shouldn't be granted with grantWrite(). You can grant these other actions with grantRead(), or just use grantReadWrite().

@peterwoodworth peterwoodworth added feature-request A feature should be added or improved. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 30, 2023
@github-actions
Copy link

github-actions bot commented Jul 3, 2023

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jul 3, 2023
@github-actions
Copy link

github-actions bot commented Jul 3, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@Wurstnase
Copy link
Contributor Author

Sounds reasonable. Thanks.

This was referenced Jul 26, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 closing-soon This issue will automatically close in 4 days unless further comments are made. feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Wurstnase @peterwoodworth