aws-cdk: S3 set publicReadAccess: true, fails deploy because of default deny public access policy #29564
Description
Describe the bug
So, if you make a new s3 bucket
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
bucketName: `static-bucket`,
publicReadAccess: true,
}
})While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.
Expected Behavior
So if you make a new s3 bucket
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
bucketName: `static-bucket`,
publicReadAccess: true,
}
})it will create the s3 bucket with the policy and set the deny public access to false for all 4 options
Current Behavior
Fails with access denied error while creating the bucket and doesn't say that it's because of the policy.
Reproduction Steps
Use the following code changing the bucket name to something unique.
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
bucketName: `static-bucket`,
publicReadAccess: true,
}
})
npx cdk deploy app
Possible Solution
A possible solution would be if you use publicReadAccess: true set all blockPublicAccess to false implicitly same if you use the grantPublicAccess() function.
or state in the documentation that you have to set blockPublicAceess to false and give a better error back.
blockPublicAccess: {
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets:false,
}
Additional Information/Context
No response
CDK CLI Version
2.124
Framework Version
No response
Node.js Version
18
OS
Debian
Language
TypeScript
Language Version
5.3.3
Other information
Current workaround is adding
blockPublicAccess: {
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets:false,
}
but I feel that publicReadAccess: true should just handle the bucket level permissions fully.