https://pulumi.com logo
#general
Title
# general
t

thousands-tomato-60851

06/10/2023, 12:40 AM
Hi, I'm using aws cli2 with pulumi to try to create S3 bucket. The creation part is ok, but I always got this error:
Error putting S3 policy: AccessDenied: Access Denied
. The thing is the IAM user has been granted full s3 access permission, which includes PutS3Policy. And then I tried our root user credential, still the same. Is there anything I did wrong? Thanks.
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const bucket = new aws.s3.Bucket("my-bucket");

const bucketMetric = new aws.s3.BucketMetric("my-bucket-metric", {
  bucket: bucket.bucket,
});

const bucketNotification = new aws.s3.BucketNotification(
  "my-bucket-notification",
  {
    bucket: bucket.bucket,
  }
);

const bucketObject = new aws.s3.BucketObject("my-bucket-object", {
  bucket: bucket.bucket,
  content: "hello world",
});

const bucketPolicy = new aws.s3.BucketPolicy("my-bucket-policy", {
  bucket: bucket.bucket,
  policy: bucket.bucket.apply(publicReadPolicyForBucket),
});

function publicReadPolicyForBucket(bucketName: string) {
  return JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject"],
        Resource: [
          `arn:aws:s3:::${bucketName}/*`, // policy refers to bucket name explicitly
        ],
      },
    ],
  });
}

// Export the name of the bucket
export const bucketName = bucket.id;
s

steep-toddler-94095

06/10/2023, 2:56 AM
have you checked the bucket policy and IAM policy through the console (or AWS API) to verify they are ywhat you think they are? because if your user is in the same account as the Bucket and has
s3:*
permissions for
arn:aws:s3:::${bucketName}
, and if the bucket policy does not deny permissions, then the user should have permissions to modify the bucket policy
t

thousands-tomato-60851

06/10/2023, 3:04 AM
thanks for reply. 1. I created an IAM user, and assigned it full s3 access policy. 2. I created key-value credential and configured it in AWS cli 3. I wrote code above and ran pulumi up From what I understand I shall not have to manually modify S3 bucket to apply policy? Because creation and policy shall be executed by pulumi in a row. What's the point if I have to add permission before I can
pulumi up
again?
Copy code
Type                          Name                    Status                       Info
 +   pulumi:pulumi:Stack           play-dev                **creating failed (4s)**     1 error
 +   ├─ aws:s3:Bucket              my-bucket               created (2s)                 
 +   ├─ aws:s3:BucketPolicy        my-bucket-policy        **creating failed**          1 error
 +   ├─ aws:s3:BucketNotification  my-bucket-notification  created (0.90s)              
 +   ├─ aws:s3:BucketObject        my-bucket-object        created (0.95s)              
 +   └─ aws:s3:BucketMetric        my-bucket-metric        created (1s)                 


Diagnostics:
  aws:s3:BucketPolicy (my-bucket-policy):
    error: 1 error occurred:
        * Error putting S3 policy: AccessDenied: Access Denied
        status code: 403, request id: R1MFA79VA0K1HSVA, host id: Kt6WTL3laYuyCsixxqXOskKzXMWfVDVP0Xj6SfgXVLkbggf8OmAz0+zdn/qqSVinietBTce1O74=

  pulumi:pulumi:Stack (play-dev):
    error: update failed
s

steep-toddler-94095

06/10/2023, 3:12 AM
Based on your code and description of your user's access (which I assume is being used by the default AWS Provider) you shouldn't be running into this error... something weird seems to be going on. Is it possible that there's an AWS Organization-wide policy that limits modifying Bucket Policies or anything like that? Have you been able to successfully modify Bucket Policies for other Buckets using that user?
could you try creating the bucket with the policy in the Bucket resource instead? https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucket/#policy_nodejs
I've found the problem. I need disable these options first. I'm not sure if this is the default behavior of s3 now, if so, you guys might wanna update your tutorial incase others encounter this too. Thanks for your help. It works now.
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const bucket = new aws.s3.Bucket("my-bucket", {
  bucket: "my-bucket-reapi-test",
});

const exampleBucketPublicAccessBlock = new aws.s3.BucketPublicAccessBlock(
  "exampleBucketPublicAccessBlock",
  {
    bucket: bucket.id,
    blockPublicAcls: true,
    blockPublicPolicy: false,
    ignorePublicAcls: true,
    restrictPublicBuckets: true,
  }
);

const bucketMetric = new aws.s3.BucketMetric("my-bucket-metric", {
  bucket: bucket.bucket,
});

const bucketNotification = new aws.s3.BucketNotification(
  "my-bucket-notification",
  {
    bucket: bucket.bucket,
  }
);

const bucketObject = new aws.s3.BucketObject("my-bucket-object", {
  bucket: bucket.bucket,
  content: "hello world",
});

const bucketPolicy = new aws.s3.BucketPolicy("my-bucket-policy", {
  bucket: bucket.bucket,
  policy: bucket.bucket.apply(publicReadPolicyForBucket),
});

function publicReadPolicyForBucket(bucketName: string) {
  return JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject"],
        Resource: [
          `arn:aws:s3:::${bucketName}/*`, // policy refers to bucket name explicitly
        ],
      },
    ],
  });
}

// Export the name of the bucket
export const bucketName = bucket.id;
s

steep-toddler-94095

06/10/2023, 3:53 AM
Oh interesting, that’s good to know thanks! Also I’m not a Pulumi employee; I’m just a random person
t

thousands-tomato-60851

06/10/2023, 5:05 AM
lol still helped. 🙂
s

salmon-account-74572

06/12/2023, 12:09 PM
@thousands-tomato-60851 Glad you found the solution! This is due to a (somewhat) recent change in the AWS API: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/
5 Views