Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yandex Cloud: can't apply bucket policy via Terraform #4

Open
sio opened this issue Apr 5, 2023 · 1 comment
Open

Yandex Cloud: can't apply bucket policy via Terraform #4

sio opened this issue Apr 5, 2023 · 1 comment
Labels
wishlist

Comments

@sio
Copy link
Owner

sio commented Apr 5, 2023

yandex_storage_bucket returns HTTP 403 when trying to set bucket policy.

There is somewhat similar issue yandex-cloud/terraform-provider-yandex#261
No solution is mentioned there, only a handwavy pointer to docs:

For extended API usage, such as setting max_size, folder_id, anonymous_access_flags, default_storage_class and https parameters for bucket, will be used default authorization method, i.e. IAM / OAuth token from provider block will be used. This might be a little bit confusing in cases when separate service account is used for managing buckets because in this case buckets will be accessed by two different accounts that might have different permissions for buckets.

CLI error:

-/+ resource "yandex_storage_bucket" "images" {
      + acl                   = (known after apply)
      ~ bucket_domain_name    = "yyyyyyyy.storage.yandexcloud.net" -> (known after apply)
      ~ default_storage_class = "STANDARD" -> (known after apply)
      ~ folder_id             = "xxxxxxxxx" -> (known after apply)
      ~ id                    = "yyyyyyyy" -> (known after apply)
      ~ max_size              = 0 -> 5368709120
      + policy                = jsonencode(
            {
              + Id        = "allow_access_within_ycloud"
              + Statement = [
                  + {
                      + Action    = "s3:GetObject"
                      + Condition = {
                          + IpAddress = {
                              + "aws:SourceIp" = [
                                  + "31.44.8.0/21",
                                  + "51.250.0.0/17",
                                  + "62.84.112.0/20",
                                  + "84.201.128.0/18",
                                  + "84.252.128.0/20",
                                  + "89.169.128.0/18",
                                  + "130.193.32.0/19",
                                  + "158.160.0.0/16",
                                  + "178.154.192.0/18",
                                  + "178.170.222.0/24",
                                  + "185.206.164.0/22",
                                  + "193.32.216.0/22",
                                  + "217.28.224.0/20",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = "*"
                      + Resource  = "arn:aws:s3:::yyyyyyyy/*"
                      + Sid       = "allow_ycloud"
                    },
                ]
              + Version   = "2023-04-05"
            }
        )
      + website_domain        = (known after apply)
      + website_endpoint      = (known after apply)
        # (4 unchanged attributes hidden)

      - anonymous_access_flags {
          - config_read = false -> null
          - list        = false -> null
          - read        = false -> null
        }

      + lifecycle_rule {
          + enabled = true
          + id      = "Remove outdated OS images"

          + expiration {
              + days = 42
            }
        }
      + lifecycle_rule {
          + abort_incomplete_multipart_upload_days = 2
          + enabled                                = true
          + id                                     = "Clean up incomplete uploads"
        }

      - versioning {
          - enabled = false -> null
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.
yandex_storage_bucket.images: Destroying... [id=yyyyyyyy]
yandex_storage_bucket.images: Still destroying... [id=yyyyyyyy, 10s elapsed]
yandex_storage_bucket.images: Destruction complete after 13s
yandex_storage_bucket.images: Creating...
тХ╖
тФВ Error: handling policy: Error putting S3 policy: AccessDenied: Access Denied
тФВ       status code: 403, request id: 11d52fadbc3da713, host id:
тФВ
тФВ   with yandex_storage_bucket.images,
тФВ   on bucket.tf line 31, in resource "yandex_storage_bucket" "images":
тФВ   31: resource "yandex_storage_bucket" "images" {
тФВ
тХ╡
@sio sio added the wishlist label Apr 5, 2023
@sio sio changed the title YCloud: can't apply bucket policy via Terraform Yandex Cloud: can't apply bucket policy via Terraform Apr 6, 2023
@sio
Copy link
Owner Author

sio commented Apr 7, 2023

It seems that storage.editor just does not have enough permissions for that. Need to try storage.admin as recommended here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wishlist
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sio