https://pulumi.com logo
#aws
Title
# aws
s

shy-solstice-54260

02/27/2024, 3:07 AM
Hey folks, I'm creating a s3 buckets and uploading a object to it using
s3.BucketObject()
it was working fine so far, but recently I changed the permissions on IAM role to deny
s3:GetObjects
for all resources. After this change, my pulumi code is failing with error
Copy code
aws:s3:BucketObject (my-object):
    error: 1 error occurred:
    	* creating urn:pulumi:teleport::launchpad::aws:s3/bucketObject:BucketObject::my-object: 1 error occurred:
    	* reading S3 Object (my-object): Forbidden: Forbidden
    	status code: 403,
Does s3.BucketObject() need GetObject permission to read metadata of the object or know the status of the upload?
l

little-cartoon-10569

02/27/2024, 3:16 AM
Yes. Pulumi always gets information from the resources it deploys. That's how it manages drift, for example.
s

shy-solstice-54260

02/27/2024, 3:18 AM
Is there a alternative/workaround to put/upload objects to a bucket without requiring getObject permissions in s3? using pulumi
l

little-cartoon-10569

02/27/2024, 3:25 AM
No. You can use the AWS SDK. I think it's wrapped by the Pulumi AWS SDK but I can't find where, I don't seem to use it any more. That is, I think there is (or was?) an
@pulumi/aws/...??
import that you can use the access the AWS client classes. If not, you can just add the @aws-sdk/client-s3 dependency.
If you don't want the objects managed, you just don't create them using Pulumi. It would be quite expensive to have all your uploaded objects be managed objects, since Pulumi bills based on the number of deployed managed resources...
s

shy-solstice-54260

02/27/2024, 3:42 AM
@little-cartoon-10569 do you know if pulumi just reads metadata of the object or does it require permissions to read the object itself?
b

big-state-95297

02/27/2024, 3:55 AM
It’s quite possible (at least in Pulumi’s model, which doesn’t have bi-directional reconciliation) to detect drift, because it would be detecting drift between Pulumi’s state and the new changes. We can store a checksum in Pulumi’s state and compare that to the checksum of the object the user is trying the upload. If they are the same, just skip the upload.
l

little-cartoon-10569

02/27/2024, 6:39 PM
That detects change, not drift. Drift is when the resource in AWS is changed. To detect that, the resource needs to be read. For that, you need the various get..() API calls. Since Pulumi isn't working without the permission, the question is essentially moot. You must give Pulumi the permission, or unmanage the resource.
b

big-state-95297

02/29/2024, 2:46 AM
IIUC, drift detection is not automatic, but needed when I run a
pulumi refresh
?
l

little-cartoon-10569

02/29/2024, 2:50 AM
Drift detection isn't automatic.
pulumi refresh
attempts to resolve as much drift as it can. It won't fix things like deletes or creates. There is nothing that does that.