Hi, I'm using aws cli2 with pulumi to try to create S3 bucket. The creation part is ok, but I always got this error:

Error putting S3 policy: AccessDenied: Access Denied

. The thing is the IAM user has been granted full s3 access permission, which includes PutS3Policy. And then I tried our root user credential, still the same. Is there anything I did wrong? Thanks.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const bucket = new aws.s3.Bucket("my-bucket");

const bucketMetric = new aws.s3.BucketMetric("my-bucket-metric", {
  bucket: bucket.bucket,
});

const bucketNotification = new aws.s3.BucketNotification(
  "my-bucket-notification",
  {
    bucket: bucket.bucket,
  }
);

const bucketObject = new aws.s3.BucketObject("my-bucket-object", {
  bucket: bucket.bucket,
  content: "hello world",
});

const bucketPolicy = new aws.s3.BucketPolicy("my-bucket-policy", {
  bucket: bucket.bucket,
  policy: bucket.bucket.apply(publicReadPolicyForBucket),
});

function publicReadPolicyForBucket(bucketName: string) {
  return JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject"],
        Resource: [
          `arn:aws:s3:::${bucketName}/*`, // policy refers to bucket name explicitly
        ],
      },
    ],
  });
}

// Export the name of the bucket
export const bucketName = bucket.id;

have you checked the bucket policy and IAM policy through the console (or AWS API) to verify they are ywhat you think they are? because if your user is in the same account as the Bucket and has

s3:*

permissions for

arn:aws:s3:::${bucketName}

, and if the bucket policy does not deny permissions, then the user should have permissions to modify the bucket policy

thanks for reply. 1. I created an IAM user, and assigned it full s3 access policy. 2. I created key-value credential and configured it in AWS cli 3. I wrote code above and ran pulumi up From what I understand I shall not have to manually modify S3 bucket to apply policy? Because creation and policy shall be executed by pulumi in a row. What's the point if I have to add permission before I can

pulumi up

again?

Type                          Name                    Status                       Info
 +   pulumi:pulumi:Stack           play-dev                **creating failed (4s)**     1 error
 +   ├─ aws:s3:Bucket              my-bucket               created (2s)                 
 +   ├─ aws:s3:BucketPolicy        my-bucket-policy        **creating failed**          1 error
 +   ├─ aws:s3:BucketNotification  my-bucket-notification  created (0.90s)              
 +   ├─ aws:s3:BucketObject        my-bucket-object        created (0.95s)              
 +   └─ aws:s3:BucketMetric        my-bucket-metric        created (1s)                 


Diagnostics:
  aws:s3:BucketPolicy (my-bucket-policy):
    error: 1 error occurred:
        * Error putting S3 policy: AccessDenied: Access Denied
        status code: 403, request id: R1MFA79VA0K1HSVA, host id: Kt6WTL3laYuyCsixxqXOskKzXMWfVDVP0Xj6SfgXVLkbggf8OmAz0+zdn/qqSVinietBTce1O74=

  pulumi:pulumi:Stack (play-dev):
    error: update failed

Based on your code and description of your user's access (which I assume is being used by the default AWS Provider) you shouldn't be running into this error... something weird seems to be going on. Is it possible that there's an AWS Organization-wide policy that limits modifying Bucket Policies or anything like that? Have you been able to successfully modify Bucket Policies for other Buckets using that user?

Oh interesting, that’s good to know thanks! Also I’m not a Pulumi employee; I’m just a random person

lol still helped. 🙂

@thousands-tomato-60851 Glad you found the solution! This is due to a (somewhat) recent change in the AWS API: https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/