Thread
#golang
    p

    prehistoric-sandwich-7272

    3 weeks ago
    Hey guys! Any idea how can I add a statement to an existing S3 bucket policy permission? I have created a S3 bucket, and a folder inside it called ‘service1’ , created an OAI for the folder and cloudfront, and attached a bucket policy for containing the OAI & s3 folder. looks like this:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "my-bucket",
          "Effect": "Allow",
          "Action": "s3:GetObject",
          "Resource": [
            "arn:aws:s3:::my-bucket/*"
          ],
          "Principal": {
            "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ID>"
          }
        }
      ]
    }
    Now I have a second s3 folder, under the same bucket, for a second service, called ‘service2’. I created an OAI for the folder and cloudfront aswell, and I want to attach a new statement to the existing bucket policy. so something like this:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "my-bucket",
          "Effect": "Allow",
          "Action": "s3:GetObject",
          "Resource": [
            "arn:aws:s3:::my-bucket/*"
          ],
          "Principal": {
            "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <123>"
          },
          {
          "Sid": "my-bucket",
          "Effect": "Allow",
          "Action": "s3:GetObject",
          "Resource": [
            "arn:aws:s3:::my-bucket/*"
          ],
          "Principal": {
            "Oai": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <456>"
          }
        }
      ]
    }
    How can I achieve this?
    since I used the function
    s3.NewBucketPolicy
    to create the permissions, I cant use it again with a different OAI ID, since I get the error:
    Duplicate resource URN 'urn:pulumi:staging::my-bucket::aws:s3/bucketV2:BucketV2::my-bucket'; try giving it a unique name
    b

    billowy-army-68599

    3 weeks ago
    @prehistoric-sandwich-7272 can you share your code?
    p

    prehistoric-sandwich-7272

    3 weeks ago
    @billowy-army-68599
    // Create folder
    folder, _ := s3Pkg.NewBucketObjectv2(ctx, "test-folder", &s3Pkg.BucketObjectv2Args{
       Key:    pulumi.String("test-folder/test-directory/"),
       Bucket: pulumi.String("my-bucket"),
    })
    
    _ = pulumi.All("my-bucket", oaiArn).ApplyT(func(inputs []interface{}) error {
       bucketName := inputs[0].(string)
       oaiApplied := inputs[1].(string)
    
       bucketObject, err := s3Pkg.GetBucketV2(ctx, bucketName, pulumi.ID(bucketName), nil)
       if err != nil {
          log.Fatalf("Got error while trying to get bucket!")
          return err
       }
    
       allowAccessFromOai := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
          Statements: iam.GetPolicyDocumentStatementArray{
             &iam.GetPolicyDocumentStatementArgs{
                Sid: pulumi.String(bucketName),
                Principals: iam.GetPolicyDocumentStatementPrincipalArray{
                   &iam.GetPolicyDocumentStatementPrincipalArgs{
                      Type: pulumi.String("AWS"),
                      Identifiers: pulumi.StringArray{
                         pulumi.String(oaiApplied),
                      },
                   },
                },
                Actions: pulumi.StringArray{
                   pulumi.String("s3:GetObject"),
                },
                Resources: pulumi.StringArray{
                   bucketObject.Arn.ApplyT(func(arn string) (string, error) {
                      return fmt.Sprintf("%v/*", arn), nil
                   }).(pulumi.StringOutput),
                },
             },
          },
       }, nil)
       return nil
    })
    _, err = s3Pkg.NewBucketPolicy(ctx, "allowAccessFromOai", &s3Pkg.BucketPolicyArgs{
       Bucket: bucketObject.ID(),
       Policy: allowAccessFromOai.ApplyT(func(allowAccessFromAnotherAccountPolicyDocument iam.GetPolicyDocumentResult) (string, error) {
          return allowAccessFromAnotherAccountPolicyDocument.Json, nil
       }).(pulumi.StringOutput),
    })
    that’s without the bucket creation, not really relevant so after the above code is done (folder creation inside the s3 bucket + oai + bucket permissions) I want to run the above code with a different folder inside the same bucket, and add to the same bucket permissions
    the before and after are above in my first message, the two JSON’s
    b

    billowy-army-68599

    3 weeks ago
    you should be able to create a new policy and use NewBucketPolicyAttachment without much issue, the duoplicate urn thing is because you’re giving both resources the same name
    if you get to the stage where you get that error aghain and share the code I can help you fix it
    p

    prehistoric-sandwich-7272

    3 weeks ago
    @billowy-army-68599 so the error was indeed caused by the duplicate resource names so I changed it and it was fixed now when I run the code for the second service I get no error (yay) but the bucket policy is overwritten
    @billowy-army-68599 any way to just add a statement to an existing s3 bucket policy?
    b

    billowy-army-68599

    3 weeks ago
    unfortunately not, BucketPolicy doesn’t have a PolicyAttachment like mechanism I’m afraid. you’ll need to create the policy in one go
    p

    prehistoric-sandwich-7272

    3 weeks ago
    @billowy-army-68599 end up writing a package that adds permission statement to a policy json and creates a new bucket permission with it.. maybe i will open a PR soon for u guys 😜