This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

06/10/2023, 12:40 AM

This message was deleted.

steep-toddler-94095

06/10/2023, 2:56 AM

have you checked the bucket policy and IAM policy through the console (or AWS API) to verify they are ywhat you think they are? because if your user is in the same account as the Bucket and has

s3:*

permissions for

arn:aws:s3:::${bucketName}

, and if the bucket policy does not deny permissions, then the user should have permissions to modify the bucket policy

thousands-tomato-60851

06/10/2023, 3:04 AM

thanks for reply. 1. I created an IAM user, and assigned it full s3 access policy. 2. I created key-value credential and configured it in AWS cli 3. I wrote code above and ran pulumi up From what I understand I shall not have to manually modify S3 bucket to apply policy? Because creation and policy shall be executed by pulumi in a row. What's the point if I have to add permission before I can

pulumi up

again?

Copy code

Type                          Name                    Status                       Info
 +   pulumi:pulumi:Stack           play-dev                **creating failed (4s)**     1 error
 +   ├─ aws:s3:Bucket              my-bucket               created (2s)                 
 +   ├─ aws:s3:BucketPolicy        my-bucket-policy        **creating failed**          1 error
 +   ├─ aws:s3:BucketNotification  my-bucket-notification  created (0.90s)              
 +   ├─ aws:s3:BucketObject        my-bucket-object        created (0.95s)              
 +   └─ aws:s3:BucketMetric        my-bucket-metric        created (1s)                 


Diagnostics:
  aws:s3:BucketPolicy (my-bucket-policy):
    error: 1 error occurred:
        * Error putting S3 policy: AccessDenied: Access Denied
        status code: 403, request id: R1MFA79VA0K1HSVA, host id: Kt6WTL3laYuyCsixxqXOskKzXMWfVDVP0Xj6SfgXVLkbggf8OmAz0+zdn/qqSVinietBTce1O74=

  pulumi:pulumi:Stack (play-dev):
    error: update failed

steep-toddler-94095

06/10/2023, 3:12 AM

Based on your code and description of your user's access (which I assume is being used by the default AWS Provider) you shouldn't be running into this error... something weird seems to be going on. Is it possible that there's an AWS Organization-wide policy that limits modifying Bucket Policies or anything like that? Have you been able to successfully modify Bucket Policies for other Buckets using that user?

steep-toddler-94095

06/10/2023, 3:19 AM

could you try creating the bucket with the policy in the Bucket resource instead? https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucket/#policy_nodejs

thousands-tomato-60851

06/10/2023, 3:22 AM

https://www.pulumi.com/registry/packages/aws/api-docs/s3/bucketpublicaccessblock/

thousands-tomato-60851

06/10/2023, 3:23 AM

I've found the problem. I need disable these options first. I'm not sure if this is the default behavior of s3 now, if so, you guys might wanna update your tutorial incase others encounter this too. Thanks for your help. It works now.

Copy code

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const bucket = new aws.s3.Bucket("my-bucket", {
  bucket: "my-bucket-reapi-test",
});

const exampleBucketPublicAccessBlock = new aws.s3.BucketPublicAccessBlock(
  "exampleBucketPublicAccessBlock",
  {
    bucket: bucket.id,
    blockPublicAcls: true,
    blockPublicPolicy: false,
    ignorePublicAcls: true,
    restrictPublicBuckets: true,
  }
);

const bucketMetric = new aws.s3.BucketMetric("my-bucket-metric", {
  bucket: bucket.bucket,
});

const bucketNotification = new aws.s3.BucketNotification(
  "my-bucket-notification",
  {
    bucket: bucket.bucket,
  }
);

const bucketObject = new aws.s3.BucketObject("my-bucket-object", {
  bucket: bucket.bucket,
  content: "hello world",
});

const bucketPolicy = new aws.s3.BucketPolicy("my-bucket-policy", {
  bucket: bucket.bucket,
  policy: bucket.bucket.apply(publicReadPolicyForBucket),
});

function publicReadPolicyForBucket(bucketName: string) {
  return JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject"],
        Resource: [
          `arn:aws:s3:::${bucketName}/*`, // policy refers to bucket name explicitly
        ],
      },
    ],
  });
}

// Export the name of the bucket
export const bucketName = bucket.id;

steep-toddler-94095

06/10/2023, 3:53 AM

Oh interesting, that’s good to know thanks! Also I’m not a Pulumi employee; I’m just a random person

thousands-tomato-60851

06/10/2023, 5:05 AM

lol still helped. 🙂

p 2

salmon-account-74572

06/12/2023, 12:09 PM

@thousands-tomato-60851 Glad you found the solution! This is due to a (somewhat) recent change in the AWS API: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/

👍 1

5 Views

Open in Slack

Previous Next