Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-s3: Bucket.grantRead() doesn't work #32797

Open
1 task
garysassano opened this issue Jan 8, 2025 · 2 comments
Open
1 task

aws-s3: Bucket.grantRead() doesn't work #32797

garysassano opened this issue Jan 8, 2025 · 2 comments
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@garysassano
Copy link

garysassano commented Jan 8, 2025
edited
Loading

Describe the bug

The Bucket.grantRead() method doesn't add any policy to the S3 bucket.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

see above.

Current Behavior

see above.

Reproduction Steps

const configBucket = new Bucket(this, "ConfigBucket", {
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
});

const instanceRole = new Role(this, "AppRunnerInstanceRole", {
  assumedBy: new ServicePrincipal("tasks.apprunner.amazonaws.com"),
});

configBucket.grantRead(instanceRole);

The resulting bucket policy of configBucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXXXX:role/cdk-aws-apprunner-dev-CustomS3AutoDeleteObjectsCust-pjNpAHyW1OjH"
            },
            "Action": [
                "s3:PutBucketPolicy",
                "s3:GetBucket*",
                "s3:List*",
                "s3:DeleteObject*"
            ],
            "Resource": [
                "arn:aws:s3:::cdk-aws-apprunner-dev-otelconfigbucketd98a94f8-wjndkbeqsonm",
                "arn:aws:s3:::cdk-aws-apprunner-dev-otelconfigbucketd98a94f8-wjndkbeqsonm/*"
            ]
        }
    ]
}

Possible Solution

Use this instead:

configBucket.addToResourcePolicy(
  new PolicyStatement({
    actions: ["s3:GetObject"],
    resources: [configBucket.arnForObjects("*")],
    principals: [instanceRole],
  }),
);

Additional Information/Context

No response

CDK CLI Version

2.174.1

Framework Version

No response

Node.js Version

22.12.0

OS

Ubuntu 24.04.1

Language

TypeScript

Language Version

No response

Other information

Similar issue: #31358
@garysassano garysassano added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 8, 2025
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Jan 8, 2025
@pahud pahud self-assigned this Jan 8, 2025
@pahud
Copy link
Contributor

pahud commented Jan 8, 2025
edited
Loading

grantRead under the hood create addToPrincipalOrResource, this means when identity policy is added, resource policy would not be added. You will need manually addToResourcePolicy() if you need bucket policy as well.

Are you expecting both identity and resource policies should be added whenever possible using grantRead()? If yes, can you share your thoughts on this?

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 8, 2025
@pahud pahud removed their assignment Jan 8, 2025
@pahud pahud added the effort/medium Medium work item – several days of effort label Jan 8, 2025
@garysassano
Copy link
Author

This behavior seems counterintuitive to me. The grantRead() method feels like the most straightforward and idiomatic way to provide read access to a role. However, when using the autoDeleteObjects property on the bucket, this method becomes ineffective. Users shouldn't need to understand the underlying implementation details or adjust their approach based on them; doing so results in a poor developer experience.

Honestly, it feels simpler to rely solely on addToResourcePolicy() and disregard the existence of grant methods altogether.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @garysassano