-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to create S3 buckets after the new S3 defaults #1723
Comments
try this: - acl: private
+ objectOwnership: BucketOwnerEnforced |
You actually cannot even create a bucket currently without one of the publicAccessBlockConfiguration settings set to true, which is not in line with the AWS API. |
Most regions have disabled ACLs for new buckets. Update examples to code that works out of the box. Setting BucketOwnerEnforced will disable ACLs explicitly. Updates crossplane-contrib#1723 Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
@tcd156 do you have an example with full YAML? I can't reproduce that. |
I'm on 0.38.0, not latest if that change has been included, but literally any bucket with publicAccessBlockConfiguration with all of them being false. If you set all values as false, you get an error: "Must provide at least one configuration" |
publicAccessBlockConfiguration:
blockPublicPolicy: false
blockPublicAcls: false
ignorePublicAcls: false
restrictPublicBuckets: false @tcd156 Right, I think that's the behaviour for the AWS API, could you please try removing this block instead of all of them being false? Is this a change? You can argue that provider-aws should "do what you mean" and delete any public access block config if all values are set to false, AWS at least decided to error out instead in this case, so crossplane just mirrors the AWS behaviour. However, I think if you have a patch for allowing the user to toggle |
Buckets default to no public access, so that has the opposite of the intended effect and blocks access. |
I think there are a few different issues here:
So if a user does publicAccessBlockConfiguration: {} or publicAccessBlockConfiguration: null provider-aws will currently late-init the field instead of deleting the public access block configuration (opening the bucket). So, to preserve the current behaviour, I believe we would have to special-case handle this: publicAccessBlockConfiguration:
blockPublicPolicy: false
blockPublicAcls: false
ignorePublicAcls: false
restrictPublicBuckets: false to trigger DeletePublicAccessBlock But this is not 100% in line with the AWS API. |
Running into this as well, currently making it impossible to create/manage public S3 buckets. |
Due to a combination of issues: * late-init not allowing explicit "null" * AWS recently introduced a change which adds a publicAccessBlockConfiguration by default * AWS rejects an all-false publicAccessBlockConfiguration it is not possible to create new public buckets with provider-aws at the moment. This change allows this by sending DELETE when the user creates an all-false publicAccessBlockConfiguration: apiVersion: s3.aws.crossplane.io/v1beta1 kind: Bucket metadata: name: test-bucket annotations: crossplane.io/external-name: bucket-1234-hello spec: forProvider: objectOwnership: BucketOwnerEnforced locationConstraint: us-east-1 publicAccessBlockConfiguration: blockPublicPolicy: false blockPublicAcls: false ignorePublicAcls: false restrictPublicBuckets: false providerConfigRef: name: example This is required as publicAccessBlockConfiguration: null and publicAccessBlockConfiguration: {} will trigger late-init. Fixes #1723 Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
@haarchri Hello, still get the same issue: Using this publicAccessBlockConfiguration: {}, or not specify it |
The same error with |
i opened a new issue to track this #1760 |
What happened?
Recently AWS updated their default AWS S3 bucket settings and since then I am unable to create S3 buckets due to ACL errors.
How can we reproduce it?
Not sure if the settings are global or not. but in us-east-2 when i try to create an s3 bucket I get an error about ACL errors (Note: same code works in us-west-2).
Here is the example code i was using:
The error seems to be when trying to put an acl on bucket. Here is a small bit from the AWS CloudTrail event:
What environment did it happen in?
Email from AWS:
We are reaching out to inform you that starting in April 2023 Amazon S3 will change the default security configuration for all new S3 buckets. For new buckets created after this date, S3 Block Public Access will be enabled, and S3 access control lists (ACLs) will be disabled.
The majority of S3 use cases do not need public access or ACLs. For most customers, no action is required. If you have use cases for public bucket access or the use of ACLs, you can disable Block Public Access or enable ACLs after you create an S3 bucket. In these cases, you may need to update automation scripts, CloudFormation templates, or other infrastructure configuration tools to configure these settings. To learn more, read the AWS News blog [1] and What's New announcement [2] on this change or visit our user guide for S3 Block Public Access [3] and S3 Object Ownership to disable ACLs [4]. Also, see our user guide for AWS CloudFormation on these settings [5][6].
If you have any questions or concerns, please reach out to AWS Support [7].
[1] https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
[2] https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
[3] https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
[4] https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
[5] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
[6] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-ownershipcontrols.html
[7] https://aws.amazon.com/support
The text was updated successfully, but these errors were encountered: