Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(s3): publicReadAccess causes deployment failure due to access denied 403 #29632

Merged
merged 5 commits into from
May 28, 2024
Merged

fix(s3): publicReadAccess causes deployment failure due to access denied 403 #29632

merged 5 commits into from
May 28, 2024

Conversation

GavinZZ
Copy link
Contributor

@GavinZZ GavinZZ commented Mar 27, 2024
edited
Loading

Issue # (if applicable)

Closes #29564

Reason for this change

if you make a new s3 bucket

const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})

While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

Description of changes

When users only enable publicReadAccess without configuring blockPublicAccess to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis.

We do not want to directly disable blockPublicAccess as it feels like a weird behaviour.

Description of how you validated changes

New unit tests and updated integ tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Mar 27, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team March 27, 2024 21:24
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 27, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 27, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 28, 2024
This was referenced Apr 1, 2024
Closed
Closed
@GavinZZ GavinZZ closed this May 10, 2024
@GavinZZ GavinZZ reopened this May 14, 2024
@GavinZZ GavinZZ added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 14, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 14, 2024
aaythapa
aaythapa reviewed May 28, 2024
View reviewed changes
Copy link
Contributor

@aaythapa aaythapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tiny comment

packages/aws-cdk-lib/aws-s3/test/bucket.test.ts Outdated Show resolved Hide resolved
@GavinZZ @aaythapa
Update packages/aws-cdk-lib/aws-s3/test/bucket.test.ts
f5aea05 
Co-authored-by: Aayush thapa <84202325+aaythapa@users.noreply.github.com>
@mergify Mergify
Copy link
Contributor

mergify bot commented May 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7f82cb5
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 4bf6fad into main May 28, 2024
12 checks passed
@mergify mergify bot deleted the yuanhaoz/s3_allow_public_access branch May 28, 2024 21:19
@mergify Mergify
Copy link
Contributor

mergify bot commented May 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

atanaspam pushed a commit to atanaspam/aws-cdk that referenced this pull request Jun 3, 2024
@GavinZZ @atanaspam
fix(s3): publicReadAccess causes deployment failure due to access den…
455f116 
…ied 403 (aws#29632)

### Issue # (if applicable)

Closes aws#29564

### Reason for this change

if you make a new s3 bucket
```
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})
```
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

### Description of changes

When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. 

We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour.

### Description of how you validated changes

New unit tests and updated integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
richard-stafflink
richard-stafflink reviewed Jun 3, 2024
View reviewed changes
packages/aws-cdk-lib/aws-s3/lib/bucket.ts
@@ -2000,6 +2000,10 @@ export class Bucket extends BucketBase {
(props.lifecycleRules || []).forEach(this.addLifecycleRule.bind(this));

if (props.publicReadAccess) {
if (props.blockPublicAccess === undefined) {
throw new Error('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAceess\' property.');
Copy link

@richard-stafflink richard-stafflink Jun 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GavinZZ
typo: blockPublicAceess -> blockPublicAccess (Aceess has 'ee' and missing a 'c')

vdahlberg pushed a commit to vdahlberg/aws-cdk that referenced this pull request Jun 10, 2024
@GavinZZ
fix(s3): publicReadAccess causes deployment failure due to access den…
43381bc 
…ied 403 (aws#29632)

### Issue # (if applicable)

Closes aws#29564

### Reason for this change

if you make a new s3 bucket
```
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})
```
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

### Description of changes

When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. 

We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour.

### Description of how you validated changes

New unit tests and updated integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@rwlxxvii rwlxxvii mentioned this pull request Jun 22, 2024
Merged
@NOUIY NOUIY mentioned this pull request Jun 22, 2024
Open
@kazimanzurrashid kazimanzurrashid mentioned this pull request Jun 29, 2024
Open
This was referenced Jun 29, 2024
Open
Open
This was referenced Jul 12, 2024
Open
Open
This was referenced Jul 19, 2024
Open
Open
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@richard-stafflink richard-stafflink richard-stafflink left review comments

@aaythapa aaythapa aaythapa approved these changes

@TheRealAmazonKendra TheRealAmazonKendra Awaiting requested review from TheRealAmazonKendra

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws-cdk: S3 set publicReadAccess: true, fails deploy because of default deny public access policy
5 participants
@GavinZZ @aws-cdk-automation @TheRealAmazonKendra @aaythapa @richard-stafflink