Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3: bucket.grantRead does not allow s3:HeadObject #27389

Closed
tmokmss opened this issue Oct 3, 2023 · 3 comments · Fixed by #27416
Closed

s3: bucket.grantRead does not allow s3:HeadObject #27389

tmokmss opened this issue Oct 3, 2023 · 3 comments · Fixed by #27416
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@tmokmss
Copy link
Contributor

tmokmss commented Oct 3, 2023
edited
Loading

Describe the bug

Currently bucket.grantRead does not allow s3:HeadObject action. Because of this, the code like below does not work if you set the IAM policy by grantRead method, which is a surprising behavior.

s3 = boto3.client("s3")
# this operation requires s3:HeadObject permission
s3.download_file(bucket, key, filepath)

# you get the following error:
# [ERROR] ClientError: An error occurred (403) when calling the HeadObject operation: Forbidden

Expected Behavior

bucket.grantRead allows s3:HeadObject action.

Current Behavior

bucket.grantRead only allows s3:GetBucket* , s3:GetObject*, s3:List* actions.

Reproduction Steps

    const bucket = new Bucket(this, 'Bucket', {
    });
    const role = new Role(this, 'Role', {
      assumedBy: new ServicePrincipal('sns.amazonaws.com'),
    });
    bucket.grantRead(role);
    // See the synthesized IAM policy.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.99.1

Framework Version

2.99.1

Node.js Version

v18.13.0

OS

macOS

Language

Typescript

Language Version

No response

Other information

No response
@tmokmss tmokmss added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2023
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Oct 3, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2023
@khushail
Copy link
Contributor

khushail commented Oct 3, 2023

Hi @tmokmss , thanks for the report on the permitted actions for grantRead().

@khushail khushail added p2 effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Oct 3, 2023
@lpizzinidev lpizzinidev mentioned this issue Oct 5, 2023
Merged
vinayak-kukreja added a commit to lpizzinidev/aws-cdk that referenced this issue Oct 11, 2023
@vinayak-kukreja
Merge branch 'main' into awsgh-27389
53b94c9
mergify bot added a commit to lpizzinidev/aws-cdk that referenced this issue Oct 11, 2023
@mergify
Merge branch 'main' into awsgh-27389
c2e7a2e
@mergify mergify bot closed this as completed in #27416 Oct 11, 2023
mergify bot pushed a commit that referenced this issue Oct 11, 2023
@lpizzinidev
fix(s3): grantRead does not allow s3:HeadObject (#27416)
beac675 
Fixes the policy enforced by `grantRead` to allow operations that require to read an object's metadata, for example:
```
s3 = boto3.client("s3")
# this operation requires s3:HeadObject permission
s3.download_file(bucket, key, filepath)
```

Closes #27389.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@davekerber davekerber mentioned this issue Oct 14, 2023
Closed
@andresionek91
Copy link

Your authorization issue was related to something else. s3:HeadObject is not a valid action in IAM.

@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(s3): grantRead does not allow s3:HeadObject lpizzinidev/aws-cdk
3 participants
@andresionek91 @tmokmss @khushail