This message was deleted.
# generals
sparse-intern-71089
07/15/2019, 6:46 PMThis message was deleted.
h
high-translator-22614
07/15/2019, 7:17 PMPython ref: https://www.pulumi.com/docs/reference/pkg/python/pulumi_aws/s3/#pulumi_aws.s3.Bucket
JS ref: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/s3/#Bucket
I believe the property you want is
aclb
boundless-monkey-50243
07/15/2019, 8:36 PMThanks, but I understand how to work with the resources--I'm referring to passing parameters via the S3 backend, like when updating state files.
boundless-monkey-50243
07/15/2019, 8:37 PMRight now, if a cross-account user creates a Pulumi stack, the permissions are not set such that the bucket owner can actually touch the file.
h
high-translator-22614
07/15/2019, 8:39 PMso, either:
1. Pulumi set the bucket the way you told it, and AWS is doing something weird
2. Pulumi didn't set the bucket, and has a bug
b
boundless-monkey-50243
07/15/2019, 8:47 PMNo to both. The S3 backend has a client that is passing default parameters to AWS. I am asking how to pass parameters to it.
boundless-monkey-50243
07/15/2019, 8:48 PMPulumi didn't create and doesn't manage this bucket; it's making client calls to it as part of state management.
h
high-translator-22614
07/15/2019, 8:49 PMwait, then what is the ACL argument do in the context of "oh, I'm not managing this bucket, I'm just using it"?
high-translator-22614
07/15/2019, 8:49 PMbecause as i understand it, that's part of the s3 permissions system, and setting it is more of a "managing and configuring resources" activity
high-translator-22614
07/15/2019, 8:51 PMand, of course, as a client you can't just say "please apply this ACL for this request" because that defeats the whole purpose of having a permissions system
high-translator-22614
07/15/2019, 8:54 PMoh!
high-translator-22614
07/15/2019, 8:54 PMPulumi is managing the bucket, but is creating it in a different AWS account via aws's cross-account features
high-translator-22614
07/15/2019, 8:55 PMin which case, I suspect that the canned ACLs might be insufficient and you need an explicit policy?
high-translator-22614
07/15/2019, 8:56 PMor, you're trying to manage an aws account as a cross-account user?
high-translator-22614
07/15/2019, 8:57 PMwhich smells like IAM misconfiguration or weirdness?
b
boundless-monkey-50243
07/15/2019, 8:57 PMPulumi is not managing the bucket. Pulumi is doing gets and puts into it. This is the standard object owner/bucket owner divide.
boundless-monkey-50243
07/15/2019, 8:58 PMThe solution is generally to place a condition in your bucket policy that equals
s3:x-amz-acl: bucket-owner-full-controlboundless-monkey-50243
07/15/2019, 8:59 PMYou both can and must apply the ACL per-request because bucket owners and object owners are different principals.
boundless-monkey-50243
07/15/2019, 9:02 PMThe workaround becomes to run something like
Copy code
aws s3 cp <s3://pulumi-bucket/> <s3://pulumi-bucket/> --acl bucket-owner-full-control --recursiveh
high-translator-22614
07/15/2019, 9:03 PMok, sorry for trying to help, i'm completely unfamiliar with cross-account stuff and this is just making me want to cry because why is aws like this????
b
boundless-monkey-50243
07/15/2019, 9:05 PMHey, no worries, I appreciate the effort. 🙂
boundless-monkey-50243
07/15/2019, 9:05 PMCross-account stuff is garbage, in this case the solution is to pass a field to the S3
PutObjecth
high-translator-22614
07/15/2019, 9:07 PMafaik, pulumi is wrapping terraform's code under the hood in most cases
b
boundless-monkey-50243
07/15/2019, 9:08 PMFor resources yes, but AFAIK the backends are implemented in Pulumi itself (different state model than Terraform). I think I'll just file an issue and see what's up
boundless-monkey-50243
07/15/2019, 9:08 PMThanks. 😃