https://pulumi.com logo
Title
b

brief-car-60542

05/10/2023, 9:52 PM
I am getting access denied error when trying to create public web hosting S3 by fellow this example: https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketaclv2/#with-public-read-acl
* error creating S3 bucket ACL for <bucket name>: AccessDenied: Access Denied
l

lemon-agent-27707

05/10/2023, 10:15 PM
How are you configuring your AWS credentials?
b

brief-car-60542

05/10/2023, 10:41 PM
With providers, I think my cert config is working, because I am able to generate all other resources, expect this ACL one. Unless there is special cred work needs to be done.
s

salmon-account-74572

05/10/2023, 11:20 PM
Can you share your code?
b

brief-car-60542

05/10/2023, 11:57 PM
Yes
const webBucket = new aws.s3.BucketV2(
    webS3Name,
    {
      tags: {
        Environment: configEnvironment,
        Name: webS3Name,
      },
    },
    { provider: config.providers[configEnvironment] as aws.Provider },
  );  
const bucketOwnershipControls = new aws.s3.BucketOwnershipControls(
    `${webS3Name}-OwnershipControls`,
    {
      bucket: webBucket.id,
      rule: {
        objectOwnership: 'BucketOwnerPreferred',
      },
    },
    { provider: config.providers[configEnvironment] as aws.Provider },
  );

  new aws.s3.BucketPolicy(
    `${webS3Name}-BucketPolicy`,
    {
      bucket: webBucket.id,
      policy: allowPulicAccessPolicyDocument.apply((allowPulicAccessPolicyDocument) => {
        return allowPulicAccessPolicyDocument.json;
      }),
    },
    { provider: config.providers[configEnvironment] as aws.Provider },
  );

  new aws.s3.BucketAclV2(
    `${webS3Name}-AclV2`,
    {
      acl: 'public-read',
      bucket: webBucket.id,
    },
    {
      dependsOn: [bucketOwnershipControls, bucketPublicAccessBlock],
      provider: config.providers[configEnvironment] as aws.Provider,
    },
  );
s

salmon-account-74572

05/11/2023, 12:01 AM
I see
bucketPublicAccessBlock
referenced in the
dependsOn
, but I don’t see it defined here…?
b

brief-car-60542

05/11/2023, 12:04 AM
const bucketPublicAccessBlock = new aws.s3.BucketPublicAccessBlock(
    `${webS3Name}-accessBlock`,
    {
      blockPublicAcls: true,
      blockPublicPolicy: true,
      bucket: webBucket.id,
      ignorePublicAcls: true,
      restrictPublicBuckets: true,
    },
    { provider: config.providers[configEnvironment] as aws.Provider },
  );
here
s

salmon-account-74572

05/11/2023, 4:11 AM
I think you need to change
blockPublicAcls: true
to
blockPublicAcls: false
And I think that
ignorePublicAcls
should also be
false
b

brief-car-60542

05/11/2023, 5:13 AM
Thanks!
s

salmon-account-74572

05/11/2023, 3:24 PM
Happy to help!