Hey guys! Any idea how can I add a statement to an existing S3 bucket policy permission? I have created a S3 bucket, and a folder inside it called ‘service1’ , created an OAI for the folder and cloudfront, and attached a bucket policy for containing the OAI & s3 folder. looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "my-bucket",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::my-bucket/*"
      ],
      "Principal": {
        "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ID>"
      }
    }
  ]
}

Now I have a second s3 folder, under the same bucket, for a second service, called ‘service2’. I created an OAI for the folder and cloudfront aswell, and I want to attach a new statement to the existing bucket policy. so something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "my-bucket",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::my-bucket/*"
      ],
      "Principal": {
        "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <123>"
      },
      {
      "Sid": "my-bucket",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::my-bucket/*"
      ],
      "Principal": {
        "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <456>"
      }
    }
  ]
}

How can I achieve this?

@prehistoric-sandwich-7272 can you share your code?

@billowy-army-68599

// Create folder
folder, _ := s3Pkg.NewBucketObjectv2(ctx, "test-folder", &s3Pkg.BucketObjectv2Args{
   Key:    pulumi.String("test-folder/test-directory/"),
   Bucket: pulumi.String("my-bucket"),
})

_ = pulumi.All("my-bucket", oaiArn).ApplyT(func(inputs []interface{}) error {
   bucketName := inputs[0].(string)
   oaiApplied := inputs[1].(string)

   bucketObject, err := s3Pkg.GetBucketV2(ctx, bucketName, pulumi.ID(bucketName), nil)
   if err != nil {
      log.Fatalf("Got error while trying to get bucket!")
      return err
   }

   allowAccessFromOai := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
      Statements: iam.GetPolicyDocumentStatementArray{
         &iam.GetPolicyDocumentStatementArgs{
            Sid: pulumi.String(bucketName),
            Principals: iam.GetPolicyDocumentStatementPrincipalArray{
               &iam.GetPolicyDocumentStatementPrincipalArgs{
                  Type: pulumi.String("AWS"),
                  Identifiers: pulumi.StringArray{
                     pulumi.String(oaiApplied),
                  },
               },
            },
            Actions: pulumi.StringArray{
               pulumi.String("s3:GetObject"),
            },
            Resources: pulumi.StringArray{
               bucketObject.Arn.ApplyT(func(arn string) (string, error) {
                  return fmt.Sprintf("%v/*", arn), nil
               }).(pulumi.StringOutput),
            },
         },
      },
   }, nil)
   return nil
})
_, err = s3Pkg.NewBucketPolicy(ctx, "allowAccessFromOai", &s3Pkg.BucketPolicyArgs{
   Bucket: bucketObject.ID(),
   Policy: allowAccessFromOai.ApplyT(func(allowAccessFromAnotherAccountPolicyDocument iam.GetPolicyDocumentResult) (string, error) {
      return allowAccessFromAnotherAccountPolicyDocument.Json, nil
   }).(pulumi.StringOutput),
})

you should be able to create a new policy and use NewBucketPolicyAttachment without much issue, the duoplicate urn thing is because you’re giving both resources the same name

@billowy-army-68599 so the error was indeed caused by the duplicate resource names so I changed it and it was fixed now when I run the code for the second service I get no error (yay) but the bucket policy is overwritten

unfortunately not, BucketPolicy doesn’t have a PolicyAttachment like mechanism I’m afraid. you’ll need to create the policy in one go

@billowy-army-68599 end up writing a package that adds permission statement to a policy json and creates a new bucket permission with it.. maybe i will open a PR soon for u guys 😜