Can I pass the S3 backend flags like `--acl bucket...
# general
Can I pass the S3 backend flags like
--acl bucket-owner-full-control
? Using Pulumi in a multi-account setup is otherwise kind of prohibitive.
Thanks, but I understand how to work with the resources--I'm referring to passing parameters via the S3 backend, like when updating state files.
Right now, if a cross-account user creates a Pulumi stack, the permissions are not set such that the bucket owner can actually touch the file.
so, either: 1. Pulumi set the bucket the way you told it, and AWS is doing something weird 2. Pulumi didn't set the bucket, and has a bug
No to both. The S3 backend has a client that is passing default parameters to AWS. I am asking how to pass parameters to it.
Pulumi didn't create and doesn't manage this bucket; it's making client calls to it as part of state management.
wait, then what is the ACL argument do in the context of "oh, I'm not managing this bucket, I'm just using it"?
because as i understand it, that's part of the s3 permissions system, and setting it is more of a "managing and configuring resources" activity
and, of course, as a client you can't just say "please apply this ACL for this request" because that defeats the whole purpose of having a permissions system
Pulumi is managing the bucket, but is creating it in a different AWS account via aws's cross-account features
in which case, I suspect that the canned ACLs might be insufficient and you need an explicit policy?
or, you're trying to manage an aws account as a cross-account user?
which smells like IAM misconfiguration or weirdness?
Pulumi is not managing the bucket. Pulumi is doing gets and puts into it. This is the standard object owner/bucket owner divide.
The solution is generally to place a condition in your bucket policy that equals
s3:x-amz-acl: bucket-owner-full-control
, but Pulumi isn't sending the header so its puts get rejected.
You both can and must apply the ACL per-request because bucket owners and object owners are different principals.
The workaround becomes to run something like
Copy code
aws s3 cp <s3://pulumi-bucket/> <s3://pulumi-bucket/> --acl bucket-owner-full-control --recursive
as the object owner, but that's silly.
ok, sorry for trying to help, i'm completely unfamiliar with cross-account stuff and this is just making me want to cry because why is aws like this????
Hey, no worries, I appreciate the effort. 🙂
Cross-account stuff is garbage, in this case the solution is to pass a field to the S3
operation - I just don't know if that's surfaced by Pulumi.
afaik, pulumi is wrapping terraform's code under the hood in most cases
For resources yes, but AFAIK the backends are implemented in Pulumi itself (different state model than Terraform). I think I'll just file an issue and see what's up
Thanks. 😃