(codepipeline-actions): BitBucketSourceAction requires s3:PutObjectAcl permissions #13557

akuma12 · 2021-03-11T23:15:28Z

Some time between aws-cdk 1.90.0 and 1.91.0, a bunch of s3:PutObject* permissions were changed to s3:PutObject, but that seems to have caused an issue with the codepipeline-actions.BitBucketSourceAction, leading to the error [GitHub] Upload to S3 failed with the following error: Access Denied in the Source action of a pipeline.

We're using this with GitHub as advised in #10632.

Reproduction Steps

Create a CodePipeline with the BitBucketSourceAction and a codestar-connection to a GitHub repository.

What did you expect to happen?

The source action has the necessary permissions to write to the pipeline artifact bucket.

What actually happened?

The source action failed with the error [GitHub] Upload to S3 failed with the following error: Access Denied

Environment

CDK CLI Version : 1.92.0
Framework Version: 1.92.0
Node.js Version: 14.11.0
OS : Mac OS Catalina
Language (Version): Python (3.8.5)

Other

We just need to add s3:PutObjectAcl as part of the default role that is generated for a BitBucketSourceAction.

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

skinny85 · 2021-03-11T23:36:31Z

Hi @akuma12 ,

that permission was actually changed in release 1.85.0, so it shouldn't be a problem when migrating from 1.90.0 to 1.92.0.

Can you check whether going back to 1.90.0 fixes the issue? What is the output of cdk diff for the Pipeline Stack between those 2 versions?

Thanks,
Adam

akuma12 · 2021-03-11T23:41:58Z

I wasn't sure which change modified the role permissions, but I saw a bunch of removals of s3:PutObject* when comparing 1.90.0 and 1.91.0, so I had assumed that's where it happened. What's crazy is that we've never run into this issue before now, and we've been on at least 1.88.0 for quite a while because of the newStyleStackSynthesis update. I'm not certain what brought this on now.

Kruspe · 2021-03-12T12:30:47Z

We are facing the same issue and at the moment we are using this workaround #12391 (comment)
Recreating the bucket did not solve the problem for us.

akuma12 · 2021-03-12T15:30:36Z

I guess it would have helped if I'd read the instructions:
Before CDK version 1.85.0, this method granted the s3:PutObject* permission that included s3:PutObjectAcl, which could be used to grant read/write object access to IAM principals in other accounts. If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, and make sure the @aws-cdk/aws-s3:grantWriteWithoutAcl feature flag is set to true in the context key of your cdk.json file. If you've already updated, but still need the principal to have permissions to modify the ACLs, use the {@link grantPutAcl} method.

It looks like cdk init is putting "@aws-cdk/aws-s3:grantWriteWithoutAcl": "true" in the cdk.json file by default, which is what caused the issue. I set it to "false" and it put the s3:PutObject* permission back in the policy. I imagine this was an unintended side-effect, but I wonder if anything can be done with the BitBucketSourceAction construct to add s3:PutObjectAcl to the policy so others don't have to bang their heads against a desk ;)

skinny85 · 2021-03-12T17:33:37Z

@akuma12 yes, BitBucketSourceAction should have a call to bucket.grantPutAcl() inside of it here, so that this problem no longer happens 🙂.

Any chance of a PR fixing this? Here's our "Contributing" guide: https:/aws/aws-cdk/blob/master/CONTRIBUTING.md.

BLasan · 2021-03-12T20:18:05Z

@skinny85 Can I work on this?

skinny85 · 2021-03-12T20:59:22Z

@BLasan go ahead 🙂

panamclipper · 2021-03-15T12:47:21Z

Hi @skinny85
Sorry to bug, but is there a way that I can fix this problem within my stack at the moment, as a work around. Not sure exactly how I go about adding that bucket permission onto the pipeline construct.

skinny85 · 2021-03-15T15:44:24Z

Yes @panamclipper, something like this:

sourceRole = new iam.Role(this, 'SourceRole', {
  assumedBy: new iam.AccountRootPrincipal(),
});

new codepipeline_actions.BitBucketSourceAction({
  // ...
  role: sourceRole,
});

// add the extra permissions
artifactBucket.grantPutObjectAcl(sourceRole);

…ed" error (#13637) Previously access control lists for putObject was not called. This had led in getting access denied issue when trying to upload objects into the s3 bucket fixes #13557 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2021-03-22T21:07:28Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…ed" error (#13637) Previously access control lists for putObject was not called. This had led in getting access denied issue when trying to upload objects into the s3 bucket fixes #13557 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ed" error (aws#13637) Previously access control lists for putObject was not called. This had led in getting access denied issue when trying to upload objects into the s3 bucket fixes aws#13557 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

panamclipper · 2021-04-01T09:53:19Z

@skinny85 Sorry for the late response. That solution worked perfectly! Thank you!

…ed" error (aws#13637) Previously access control lists for putObject was not called. This had led in getting access denied issue when trying to upload objects into the s3 bucket fixes aws#13557 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

akuma12 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 11, 2021

github-actions bot added the @aws-cdk/aws-codepipeline-actions label Mar 11, 2021

github-actions bot assigned iliapolo Mar 11, 2021

github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Mar 11, 2021

github-actions bot assigned skinny85 Mar 11, 2021

skinny85 unassigned iliapolo Mar 11, 2021

skinny85 added effort/small Small work item – less than a day of effort p1 labels Mar 11, 2021

skinny85 added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 11, 2021

github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 12, 2021

BLasan mentioned this issue Mar 17, 2021

fix(codepipeline-actions): BitBucketAction fails with S3 "Access denied" error #13637

Merged

mergify bot closed this as completed in #13637 Mar 22, 2021

kmonihen mentioned this issue Mar 30, 2021

(aws-cdk/pipelines): Upload to S3 failed with the following error: Access Denied #13733

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(codepipeline-actions): BitBucketSourceAction requires s3:PutObjectAcl permissions #13557

(codepipeline-actions): BitBucketSourceAction requires s3:PutObjectAcl permissions #13557

akuma12 commented Mar 11, 2021

skinny85 commented Mar 11, 2021

akuma12 commented Mar 11, 2021

Kruspe commented Mar 12, 2021

akuma12 commented Mar 12, 2021

skinny85 commented Mar 12, 2021

BLasan commented Mar 12, 2021

skinny85 commented Mar 12, 2021

panamclipper commented Mar 15, 2021

skinny85 commented Mar 15, 2021

github-actions bot commented Mar 22, 2021

panamclipper commented Apr 1, 2021