Skip to content

fix(s3): publicReadAccess causes deployment failure due to access denied 403#29632

Merged
mergify[bot] merged 5 commits intomainfrom
yuanhaoz/s3_allow_public_access
May 28, 2024
Merged

fix(s3): publicReadAccess causes deployment failure due to access denied 403#29632
mergify[bot] merged 5 commits intomainfrom
yuanhaoz/s3_allow_public_access

Conversation

@GavinZZ
Copy link
Copy Markdown
Member

@GavinZZ GavinZZ commented Mar 27, 2024
edited
Loading

Issue # (if applicable)

Closes #29564

Reason for this change

if you make a new s3 bucket

const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})

While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

Description of changes

When users only enable publicReadAccess without configuring blockPublicAccess to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis.

We do not want to directly disable blockPublicAccess as it feels like a weird behaviour.

Description of how you validated changes

New unit tests and updated integ tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Mar 27, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team March 27, 2024 21:24
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 27, 2024
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 27, 2024
TheRealAmazonKendra
TheRealAmazonKendra previously requested changes Mar 28, 2024
View reviewed changes
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 28, 2024
This was referenced Apr 1, 2024
Closed
Closed
@GavinZZ GavinZZ closed this May 10, 2024
@GavinZZ GavinZZ reopened this May 14, 2024
@GavinZZ GavinZZ added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 14, 2024
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label May 14, 2024
aaythapa
aaythapa reviewed May 28, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@aaythapa aaythapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tiny comment

@GavinZZ @aaythapa
Update packages/aws-cdk-lib/aws-s3/test/bucket.test.ts
f5aea05 
Co-authored-by: Aayush thapa <84202325+aaythapa@users.noreply.github.com>
@GavinZZ GavinZZ dismissed TheRealAmazonKendra’s stale review May 28, 2024 20:50

Feedback addressed.

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented May 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented May 28, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7f82cb5
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 4bf6fad into main May 28, 2024
@mergify mergify bot deleted the yuanhaoz/s3_allow_public_access branch May 28, 2024 21:19
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented May 28, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

rj-au
rj-au reviewed Jun 3, 2024
View reviewed changes
packages/aws-cdk-lib/aws-s3/lib/bucket.ts

if (props.publicReadAccess) {
if (props.blockPublicAccess === undefined) {
throw new Error('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAceess\' property.');
Copy link
Copy Markdown

@rj-au rj-au Jun 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GavinZZ
typo: blockPublicAceess -> blockPublicAccess (Aceess has 'ee' and missing a 'c')

vdahlberg pushed a commit to vdahlberg/aws-cdk that referenced this pull request Jun 10, 2024
@GavinZZ
fix(s3): publicReadAccess causes deployment failure due to access den…
43381bc 
…ied 403 (aws#29632)

### Issue # (if applicable)

Closes aws#29564

### Reason for this change

if you make a new s3 bucket
```
const staticBucket = new aws_s3.Bucket(s3Stack, `static-Bucket`, {
    bucketName: `static-bucket`,
    publicReadAccess: true,
})
```
While this is fine code and you can deploy it will fail in the middle with a generic access denied error not telling you what stopped it even if you are full admin. This happens due to the default deny all public access rule.

### Description of changes

When users only enable `publicReadAccess` without configuring `blockPublicAccess` to disable it, we will raise an exception and throw an more appropriate error message for easier diagnosis. 

We do not want to directly disable `blockPublicAccess` as it feels like a weird behaviour.

### Description of how you validated changes

New unit tests and updated integ tests

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@NOUIY NOUIY mentioned this pull request Jun 22, 2024
Open
@kazimanzurrashid kazimanzurrashid mentioned this pull request Jun 29, 2024
Open
This was referenced Jun 29, 2024
Open
Open
This was referenced Jul 12, 2024
Open
Open
This was referenced Jul 19, 2024
Open
Open
@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Jul 25, 2024

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@TheRealAmazonKendra TheRealAmazonKendra Awaiting requested review from TheRealAmazonKendra

2 more reviewers

@rj-au rj-au rj-au left review comments

@aaythapa aaythapa aaythapa approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-cdk: S3 set publicReadAccess: true, fails deploy because of default deny public access policy

5 participants

@GavinZZ @aws-cdk-automation @TheRealAmazonKendra @aaythapa @rj-au