Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(s3): publicReadAccess causes deployment failure due to access denied 403 #29632

Merged
merged 5 commits into from
May 28, 2024

Conversation

GavinZZ
Copy link
Contributor

@GavinZZ GavinZZ commented Mar 27, 2024

Issue # (if applicable)

Closes #29564

Reason for this change

if you make a new s3 bucket

const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})

While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

Description of changes

When users only enable publicReadAccess without configuring blockPublicAccess to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis.

We do not want to directly disable blockPublicAccess as it feels like a weird behaviour.

Description of how you validated changes

New unit tests and updated integ tests

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Mar 27, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team March 27, 2024 21:24
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 27, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 27, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 28, 2024
This was referenced Apr 1, 2024
@GavinZZ GavinZZ closed this May 10, 2024
@GavinZZ GavinZZ reopened this May 14, 2024
@GavinZZ GavinZZ added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 14, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 14, 2024
Copy link
Contributor

@aaythapa aaythapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tiny comment

packages/aws-cdk-lib/aws-s3/test/bucket.test.ts Outdated Show resolved Hide resolved
Co-authored-by: Aayush thapa <84202325+aaythapa@users.noreply.github.com>
Copy link
Contributor

mergify bot commented May 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7f82cb5
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 4bf6fad into main May 28, 2024
12 checks passed
@mergify mergify bot deleted the yuanhaoz/s3_allow_public_access branch May 28, 2024 21:19
Copy link
Contributor

mergify bot commented May 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

atanaspam pushed a commit to atanaspam/aws-cdk that referenced this pull request Jun 3, 2024
…ied 403 (aws#29632)

### Issue # (if applicable)

Closes aws#29564

### Reason for this change

if you make a new s3 bucket
```
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})
```
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

### Description of changes

When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. 

We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour.

### Description of how you validated changes

New unit tests and updated integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@@ -2000,6 +2000,10 @@ export class Bucket extends BucketBase {
(props.lifecycleRules || []).forEach(this.addLifecycleRule.bind(this));

if (props.publicReadAccess) {
if (props.blockPublicAccess === undefined) {
throw new Error('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAceess\' property.');
Copy link

@richard-stafflink richard-stafflink Jun 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GavinZZ
typo: blockPublicAceess -> blockPublicAccess (Aceess has 'ee' and missing a 'c')

vdahlberg pushed a commit to vdahlberg/aws-cdk that referenced this pull request Jun 10, 2024
…ied 403 (aws#29632)

### Issue # (if applicable)

Closes aws#29564

### Reason for this change

if you make a new s3 bucket
```
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})
```
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

### Description of changes

When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. 

We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour.

### Description of how you validated changes

New unit tests and updated integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws-cdk: S3 set publicReadAccess: true, fails deploy because of default deny public access policy
5 participants