prehistoric-sandwich-7272
08/31/2022, 8:03 PM{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "my-bucket",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/*"
],
"Principal": {
"Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ID>"
}
}
]
}
Now I have a second s3 folder, under the same bucket, for a second service, called ‘service2’. I created an OAI for the folder and cloudfront aswell, and I want to attach a new statement to the existing bucket policy. so something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "my-bucket",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/*"
],
"Principal": {
"Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <123>"
},
{
"Sid": "my-bucket",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::my-bucket/*"
],
"Principal": {
"Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <456>"
}
}
]
}
How can I achieve this?s3.NewBucketPolicy
to create the permissions, I cant use it again with a different OAI ID, since I get the error:
Duplicate resource URN 'urn:pulumi:staging::my-bucket::aws:s3/bucketV2:BucketV2::my-bucket'; try giving it a unique name
billowy-army-68599
08/31/2022, 8:14 PMprehistoric-sandwich-7272
08/31/2022, 8:34 PM// Create folder
folder, _ := s3Pkg.NewBucketObjectv2(ctx, "test-folder", &s3Pkg.BucketObjectv2Args{
Key: pulumi.String("test-folder/test-directory/"),
Bucket: pulumi.String("my-bucket"),
})
_ = pulumi.All("my-bucket", oaiArn).ApplyT(func(inputs []interface{}) error {
bucketName := inputs[0].(string)
oaiApplied := inputs[1].(string)
bucketObject, err := s3Pkg.GetBucketV2(ctx, bucketName, pulumi.ID(bucketName), nil)
if err != nil {
log.Fatalf("Got error while trying to get bucket!")
return err
}
allowAccessFromOai := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Sid: pulumi.String(bucketName),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("AWS"),
Identifiers: pulumi.StringArray{
pulumi.String(oaiApplied),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:GetObject"),
},
Resources: pulumi.StringArray{
bucketObject.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v/*", arn), nil
}).(pulumi.StringOutput),
},
},
},
}, nil)
return nil
})
_, err = s3Pkg.NewBucketPolicy(ctx, "allowAccessFromOai", &s3Pkg.BucketPolicyArgs{
Bucket: bucketObject.ID(),
Policy: allowAccessFromOai.ApplyT(func(allowAccessFromAnotherAccountPolicyDocument iam.GetPolicyDocumentResult) (string, error) {
return allowAccessFromAnotherAccountPolicyDocument.Json, nil
}).(pulumi.StringOutput),
})
billowy-army-68599
08/31/2022, 8:39 PMprehistoric-sandwich-7272
08/31/2022, 9:59 PMbillowy-army-68599
08/31/2022, 10:05 PMprehistoric-sandwich-7272
08/31/2022, 10:41 PM