S3BucketOrigin.withOriginAccessControl: No Option to add ListBucket permission

[andyfase]

Describe the bug

The withOriginAccessControl method only has functionality to add GetObject, PutObject or DeleteObject permissions to the provided bucket resource policy. When using CloudFront to host a SPA app (Single Page App) its common to require to put a custom error response to translate HTTP 404 (page not found) to HTTP 200 responses, this is support deep linking within the SPA app.

To allow for this the S3 bucket must provide ListBucket permission to CloudFront, allowing CloudFront to identify the file doesnt exist and actually omit a HTTP 404. Currently this is not exposed via withOriginAccessControl and a user has no understand this and then add the permission manally to the bucket policy

Given the code for withOriginAccessControl is already modifiing the bucket resource policy it should be expected that it also handles this use case

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

N/A

Expected Behavior

Bucket Policy has the ability to have ListBucket permissions granted to CloudFront

Current Behavior

Only GetObject permissions added to the /* resource ARN - ListBucket needs to be to the bucket resource not a Key resource

Reproduction Steps

use withOriginAccessControl and see that ListBucket permission cannot be added

Possible Solution

Expose functionality (extra prop) to withOriginAccessControl to allow for ListBucket permission adding

Additional Information/Context

N/A

CDK CLI Version

2.160.0

Framework Version

No response

Node.js Version

v20.14.0

OS

osx

Language

TypeScript

Language Version

No response

Other information

No response

[hetvi20]

### This permission allows CloudFront to handle 404 errors and deliver custom error responses, which is essential for deep linking within the SPA.

public withOriginAccessControl(props?: { allowListBucket?: boolean }) {
const bucketPolicy = {
// already have permissions
GetObject: true,
PutObject: true,
DeleteObject: true,
};

if (props?.allowListBucket) {
// Add ListBucket permission to the bucket resource policy
bucketPolicy.ListBucket = true;
}

this.updateBucketPolicy(bucketPolicy);
}
Once this adjustment is made, users will able to add the ListBucket permission directly through with OriginAccessControl, simplifying the process and avoiding need for manual modifications to the bucket policy.

[khushail]

@andyfase , thanks for reaching out.

Looks like this past issue is similar to the one you have created- #13983 .
Could you please take a look and confirm the same?

Thanks.

[andyfase]

Hi @khushail

Yes that past issue is similar - but that is to for OAI access pattern vs the newer OAC.

I agree with the comments made in that issue that adding ListBucket should be "opt-in" to prevent the exposure of the contents of the bucket if a index.html isnt present (i.e. the developer should have to enable this).

[khushail]

thanks @andyfase for replying back. Keeping all the discussion in mind, I think it would be appropriate to convert this bug to Feature request and mark it as P2 , to be available for community as well as team contribution.
Please feel free to comment/share feedback if you think otherwise.

@hetvi20 , thanks for commenting. If you would like to contribute a PR, please feel free to follow our Contribution guide and team would be happy to review your submission.

Thanks.

[hetvi20]

@khushail I have go through it thank for information. Can you merge my pull request in this respo.

[khushail]

@hetvi20 , I don't see any pull request linked with this issue. Also did not find any PR in CDK Repo. Could you please share your PR and link with this issue?

Once a PR has been submitted, community-reviewers review it and provide their feedback in form of comments. Then its reviewed by cdk maintainers who give the final stamp of approval and then PR is merged.
If you need any guidance/help from the community, please feel free to reach out at CDK.DEV community slack channel.

Let me know if you need any other information/help.

[hetvi20]

#31689 (comment) this is link

…

On Mon, 14 Oct, 2024, 12:39 pm Shailja Khurana, ***@***.***> wrote: @hetvi20 <https://github.com/hetvi20> , I don't see any pull request linked with this issue. Also did not find any PR in CDK Repo <https://github.com/aws/aws-cdk/pulls>. Could you please share your PR and link with this issue? Once a PR has been submitted, community-reviewers review it and provide their feedback in form of comments. Then its reviewed by cdk maintainers who give the final stamp of approval and then PR is merged. If you need any guidance/help from the community, please feel free to reach out at CDK.DEV <https://cdk.dev/> community slack channel. Let me know if you need any other information/help. — Reply to this email directly, view it on GitHub <#31689 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOGE42O7CQIMOQ7QQIA7ZLLZ3P6TLAVCNFSM6AAAAABPQLYJROVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJRHA3DQNBSHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[khushail]

@hetvi20 , this is comment with code. Let me clarify the process little bit more. You would need to submit a pull request with changes and integration tests, and link to this issue. Here is a sample PR -#31822

Once a PR is submitted, it would go through community-review and then core team's review. If you need any further help with creation of PR, here are few tutorials which could prove helpful-

1. Contributing to AWS CDK
2. Youtube tutorial

You could also reach out to Community for help and guidance on CDK.dev.