New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 Bucket Policy Changes Not Recognized As A Change on CDK Deploy #6548
Comments
Hi @bensoer This is actually the desired behavior. Imported/Existing resources are not strictly speaking a part of the CloudFormation stack. Notice that if you simply do: s3.Bucket.fromBucketName(this, 'MyPreExistingBucket-Lookup-ID',
"mypreexistingbucket"); you will get an empty stack. Existing resources can be used for referencing by other stack resources, but they cannot be mutated. Since this might break its previous, unmanaged consumers. Having said that, we acknowledge the use case for this, and actually CloudFormation have added support for explicitly importing existing resources, but this isn't yet supported in the CDK. There are ways around this, like using the AwsCustomResource construct. We encourage you to open a feature request that details your use case :) |
If i am not mistaken, the ressource mutation fails silently. IMHO this should trigger en error message |
@BenoitDel You're right. Actually, the correct behavior would be to not even expose the However, i want to make a small correction to a statement i previously made:
Thats not always the case, it actually depends on CloudFormation capabilities, but in principal, CDK does not enforce this (i.e, some imported resources can be updated). So in reality, we should either properly support this scenario (in which case, this is just a bug), or, if this scenario is not supported, we should hide the Thanks for reporting this, we will take a look. |
Remember that a This will become even more important, as we move to our improved |
@skinny85 Do you think it makes sense to specifically have |
Yes. Not sure what you mean by "it always returns
|
@skinny85 Notice that the full code reads: aws-cdk/packages/@aws-cdk/aws-s3/lib/bucket.ts Lines 452 to 462 in 745922a
When the bucket is an aws-cdk/packages/@aws-cdk/aws-s3/lib/bucket.ts Lines 1155 to 1156 in 745922a
So we end up here:
|
That is true that today, but might not be in the future. For example, we might have a a |
just experienced this issue. An error would be nice as cdk fails silently :( |
The silent failure made this issue difficult to identify, so +1 on that. There does seem to be a workaround for this specific goal assuming you want to CREATE a new bucket policy on an existing bucket and don't mind overwriting a bucket policy that already exists.
However, there seems to be a different resource type named
Disclaimer, I'm not sure how |
It's perfectly valid and safe to use. Though in this case const bucketPolicy = new BucketPolicy(this, 'cloudfrontAccessBucketPolicy', {
bucket: existingBucket,
})
bucketPolicy.document.addStatements(...) |
would love it if anyone can share a workaround that doesn't overwrite the bucket policy of the imported bucket. @ajhool's snippet works great apart from overwriting the existing policy (as they point out). Is there any way to get the existing policies on an imported bucket? |
Yup, this also applies to imported KMS keys. I'm trying to grand a lambda function in Stack B permissions to decrypt a key on a bucket (both in Stack A) by importing the key from A into B and adding to the resource policy. But when printing a response I always get Changing the allow/deny on the resource policy has no effect (CDK reports no changes) so yes, this silent failing is quite hard to notice and rather annoying. |
I was in what can best be described as psychic pain trying to get this working: having problems with CloudFront OAI to S3 restricted. The silently failing bit tripped me up for a while. Finally, noticed the failure to apply the policy response. When I found this thread. I was all prepared to implement the @ajhool recommendation when I scrolled a bit further and saw the @iliapolo comment. It worked like a charm. Here's some code if anyone needs it: const oai = new cloudfront.OriginAccessIdentity(this, "cf-oai", {
comment: `Cloudfront to reach ${bucketName}`,
});
const policyStatement = new iam.PolicyStatement({
actions: [ 's3:GetObject' ],
resources: [ this.bucket.arnForObjects("*") ],
principals: [ oai.grantPrincipal ],
});
const bucketPolicy = new s3.BucketPolicy(this, 'cloudfrontAccessBucketPolicy', {
bucket: bucket,
})
bucketPolicy.document.addStatements(policyStatement); |
|
I'm kinda facing similar issue. Is there a way to append the statements to existing policy in the existing bucket? The solutions discussed here just overwrites the whole bucket policy. |
To anyone running into an Access Denied permissions error trying to hit their s3 bucket via Cloudfront using this fix, make sure pass in the origin access identity to which you granted bucket permissions to your S3 origin: const oai = new cloudfront.OriginAccessIdentity(this, "cf-oai", {
comment: `Cloudfront to reach ${bucketName}`,
});
...
const myS3Origin = new origins.S3Origin(myBucket, {
originAccessIdentity: oai,
}); |
@iliapolo - I was having a new issue, the stack was failing saying a policy already exists - new workarounds..?
|
@otaviomacedo Thanks for the docs! But I'm not sure the linked issue should count to close this issue – having to check for a success value isn't very ergonomic and isn't obvious to an end user. (Obviously we should RTFM but as far as I know, checking for success isn't a pattern that is generally accepted or useful in CDK; we want things to yell at us if they aren't applied.) |
As @asri6725 said a year ago, it is still throwing "policy already exists" error. Any new workarounds? I am about to attempt to use a custom resource to update the policy... But it's quite frustrating having to use a lambda & custom code just to do it 🤡 🤷♂️ |
Does this still work? I tried codeedog's example and I get no error, but bucketpolicy has not been applied to bucket defined in frombucketname import and otherwise set similarly to what codeedog has. Different policies, but it should throw error if policy is incorrect rather than silently not do anything? I am also wondering if there is reason why addStatements is in plural form if it only accepts one item? |
When making changes to a bucket policy from a pre-existing bucket, applying changes to its Policy are not applied. The CDK seems to act as if no changes are needed
Reproduction Steps
Note that I have changed the names of things in this example to simplify and avoid disclosing
Adding the following code to my application to edit a pre-existing bucket's bucket policy so that other resources may get to it which may or may not have been created with the CDK
Then deploy with the CDK:
cdk -i --region us-east-1 --app 'npx --quiet ts-node app.ts' deploy --profile datascience
Error Log
Error message is not an error but a false positive in that there are no changes needing to be applied, when there are. Checking the account as well shows no updates in the cloud formation templates and the Bucket Policy not being applied to the Bucket
Environment
Other
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: