https://pulumi.com logo
#general
Title
# general
b

boundless-monkey-50243

07/15/2019, 6:46 PM
Can I pass the S3 backend flags like
--acl bucket-owner-full-control
? Using Pulumi in a multi-account setup is otherwise kind of prohibitive.
b

boundless-monkey-50243

07/15/2019, 8:36 PM
Thanks, but I understand how to work with the resources--I'm referring to passing parameters via the S3 backend, like when updating state files.
Right now, if a cross-account user creates a Pulumi stack, the permissions are not set such that the bucket owner can actually touch the file.
h

high-translator-22614

07/15/2019, 8:39 PM
so, either: 1. Pulumi set the bucket the way you told it, and AWS is doing something weird 2. Pulumi didn't set the bucket, and has a bug
b

boundless-monkey-50243

07/15/2019, 8:47 PM
No to both. The S3 backend has a client that is passing default parameters to AWS. I am asking how to pass parameters to it.
Pulumi didn't create and doesn't manage this bucket; it's making client calls to it as part of state management.
h

high-translator-22614

07/15/2019, 8:49 PM
wait, then what is the ACL argument do in the context of "oh, I'm not managing this bucket, I'm just using it"?
because as i understand it, that's part of the s3 permissions system, and setting it is more of a "managing and configuring resources" activity
and, of course, as a client you can't just say "please apply this ACL for this request" because that defeats the whole purpose of having a permissions system
oh!
Pulumi is managing the bucket, but is creating it in a different AWS account via aws's cross-account features
in which case, I suspect that the canned ACLs might be insufficient and you need an explicit policy?
or, you're trying to manage an aws account as a cross-account user?
which smells like IAM misconfiguration or weirdness?
b

boundless-monkey-50243

07/15/2019, 8:57 PM
Pulumi is not managing the bucket. Pulumi is doing gets and puts into it. This is the standard object owner/bucket owner divide.
The solution is generally to place a condition in your bucket policy that equals
s3:x-amz-acl: bucket-owner-full-control
, but Pulumi isn't sending the header so its puts get rejected.
You both can and must apply the ACL per-request because bucket owners and object owners are different principals.
The workaround becomes to run something like
Copy code
aws s3 cp <s3://pulumi-bucket/> <s3://pulumi-bucket/> --acl bucket-owner-full-control --recursive
as the object owner, but that's silly.
h

high-translator-22614

07/15/2019, 9:03 PM
ok, sorry for trying to help, i'm completely unfamiliar with cross-account stuff and this is just making me want to cry because why is aws like this????
b

boundless-monkey-50243

07/15/2019, 9:05 PM
Hey, no worries, I appreciate the effort. 🙂
Cross-account stuff is garbage, in this case the solution is to pass a field to the S3
PutObject
operation - I just don't know if that's surfaced by Pulumi.
h

high-translator-22614

07/15/2019, 9:07 PM
afaik, pulumi is wrapping terraform's code under the hood in most cases
b

boundless-monkey-50243

07/15/2019, 9:08 PM
For resources yes, but AFAIK the backends are implemented in Pulumi itself (different state model than Terraform). I think I'll just file an issue and see what's up
Thanks. 😃