-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(s3): publicReadAccess causes deployment failure due to access denied 403 #29632
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tiny comment
Co-authored-by: Aayush thapa <84202325+aaythapa@users.noreply.github.com>
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…ied 403 (aws#29632) ### Issue # (if applicable) Closes aws#29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@@ -2000,6 +2000,10 @@ export class Bucket extends BucketBase { | |||
(props.lifecycleRules || []).forEach(this.addLifecycleRule.bind(this)); | |||
|
|||
if (props.publicReadAccess) { | |||
if (props.blockPublicAccess === undefined) { | |||
throw new Error('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAceess\' property.'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@GavinZZ
typo: blockPublicAceess
-> blockPublicAccess
(Aceess has 'ee' and missing a 'c')
…ied 403 (aws#29632) ### Issue # (if applicable) Closes aws#29564 ### Reason for this change if you make a new s3 bucket ``` const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, { bucketName: `static-bucket`, publicReadAccess: true, }) ``` While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule. ### Description of changes When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour. ### Description of how you validated changes New unit tests and updated integ tests ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Issue # (if applicable)
Closes #29564
Reason for this change
if you make a new s3 bucket
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.
Description of changes
When users only enable
publicReadAccess
without configuringblockPublicAccess
to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis.We do not want to directly disable
blockPublicAccess
as it feels like a weird behaviour.Description of how you validated changes
New unit tests and updated integ tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license