https://pulumi.com logo
#golang
Title
# golang
p

prehistoric-sandwich-7272

08/31/2022, 8:03 PM
Hey guys! Any idea how can I add a statement to an existing S3 bucket policy permission? I have created a S3 bucket, and a folder inside it called ‘service1’ , created an OAI for the folder and cloudfront, and attached a bucket policy for containing the OAI & s3 folder. looks like this:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "my-bucket",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::my-bucket/*"
      ],
      "Principal": {
        "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ID>"
      }
    }
  ]
}
Now I have a second s3 folder, under the same bucket, for a second service, called ‘service2’. I created an OAI for the folder and cloudfront aswell, and I want to attach a new statement to the existing bucket policy. so something like this:
Copy code
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "my-bucket",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::my-bucket/*"
      ],
      "Principal": {
        "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <123>"
      },
      {
      "Sid": "my-bucket",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::my-bucket/*"
      ],
      "Principal": {
        "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <456>"
      }
    }
  ]
}
How can I achieve this?
since I used the function
s3.NewBucketPolicy
to create the permissions, I cant use it again with a different OAI ID, since I get the error:
Copy code
Duplicate resource URN 'urn:pulumi:staging::my-bucket::aws:s3/bucketV2:BucketV2::my-bucket'; try giving it a unique name
b

billowy-army-68599

08/31/2022, 8:14 PM
@prehistoric-sandwich-7272 can you share your code?
p

prehistoric-sandwich-7272

08/31/2022, 8:34 PM
@billowy-army-68599
Copy code
// Create folder
folder, _ := s3Pkg.NewBucketObjectv2(ctx, "test-folder", &s3Pkg.BucketObjectv2Args{
   Key:    pulumi.String("test-folder/test-directory/"),
   Bucket: pulumi.String("my-bucket"),
})

_ = pulumi.All("my-bucket", oaiArn).ApplyT(func(inputs []interface{}) error {
   bucketName := inputs[0].(string)
   oaiApplied := inputs[1].(string)

   bucketObject, err := s3Pkg.GetBucketV2(ctx, bucketName, pulumi.ID(bucketName), nil)
   if err != nil {
      log.Fatalf("Got error while trying to get bucket!")
      return err
   }

   allowAccessFromOai := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
      Statements: iam.GetPolicyDocumentStatementArray{
         &iam.GetPolicyDocumentStatementArgs{
            Sid: pulumi.String(bucketName),
            Principals: iam.GetPolicyDocumentStatementPrincipalArray{
               &iam.GetPolicyDocumentStatementPrincipalArgs{
                  Type: pulumi.String("AWS"),
                  Identifiers: pulumi.StringArray{
                     pulumi.String(oaiApplied),
                  },
               },
            },
            Actions: pulumi.StringArray{
               pulumi.String("s3:GetObject"),
            },
            Resources: pulumi.StringArray{
               bucketObject.Arn.ApplyT(func(arn string) (string, error) {
                  return fmt.Sprintf("%v/*", arn), nil
               }).(pulumi.StringOutput),
            },
         },
      },
   }, nil)
   return nil
})
_, err = s3Pkg.NewBucketPolicy(ctx, "allowAccessFromOai", &s3Pkg.BucketPolicyArgs{
   Bucket: bucketObject.ID(),
   Policy: allowAccessFromOai.ApplyT(func(allowAccessFromAnotherAccountPolicyDocument iam.GetPolicyDocumentResult) (string, error) {
      return allowAccessFromAnotherAccountPolicyDocument.Json, nil
   }).(pulumi.StringOutput),
})
that’s without the bucket creation, not really relevant so after the above code is done (folder creation inside the s3 bucket + oai + bucket permissions) I want to run the above code with a different folder inside the same bucket, and add to the same bucket permissions
the before and after are above in my first message, the two JSON’s
b

billowy-army-68599

08/31/2022, 8:39 PM
you should be able to create a new policy and use NewBucketPolicyAttachment without much issue, the duoplicate urn thing is because you’re giving both resources the same name
if you get to the stage where you get that error aghain and share the code I can help you fix it
p

prehistoric-sandwich-7272

08/31/2022, 9:59 PM
@billowy-army-68599 so the error was indeed caused by the duplicate resource names so I changed it and it was fixed now when I run the code for the second service I get no error (yay) but the bucket policy is overwritten
@billowy-army-68599 any way to just add a statement to an existing s3 bucket policy?
b

billowy-army-68599

08/31/2022, 10:05 PM
unfortunately not, BucketPolicy doesn’t have a PolicyAttachment like mechanism I’m afraid. you’ll need to create the policy in one go
p

prehistoric-sandwich-7272

08/31/2022, 10:41 PM
@billowy-army-68599 end up writing a package that adds permission statement to a policy json and creates a new bucket permission with it.. maybe i will open a PR soon for u guys 😜
5 Views