Skip to content

aws-s3: grantPut not working as advertised #13616

New issue
New issue
Closed
#18494
Closed
aws-s3: grantPut not working as advertised#13616
#18494
Labels
@aws-cdk/aws-s3Related to Amazon S3documentationThis is a problem with documentation.effort/smallSmall work item – less than a day of effortp2
@PhilKershaw

Description

@PhilKershaw
PhilKershaw
opened on Mar 16, 2021

The grantPut method documentation reads:

Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.

If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

Reproduction Steps

const function = new lambda.Function(this, "FunkyTown", {...});
const bucket = new s3.Bucket(this, "AWholeLotOfBucket");
bucket.grantPut(function);

What did you expect to happen?

To add action s3:PutObject* thus:

Action:
  - s3:PutObject*
  - s3:Abort*
Effect: Allow
Resource:
  Fn::Join:
    - ""
    - - Fn::GetAtt:
          - AWholeLotOfBucketA765543B
          - Arn
      - /*

What actually happened?

Action:
  - s3:PutObject
  - s3:Abort*
Effect: Allow
Resource:
  Fn::Join:
    - ""
    - - Fn::GetAtt:
          - AWholeLotOfBucketA765543B
          - Arn
      - /*

Environment

  • **CDK CLI Version : 1.93.0
  • **Framework Version: 1.93.0
  • **Node.js Version: v14.16.0
  • **OS : Amazon Linux release 2 (Karoo)
  • **Language (Version): 3.9.9

Other

Link to docs: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html#grantwbrputidentity-objectskeypattern
Link to original PR: #591

This is 🐛 Bug Report

Activity

PhilKershaw
added
bugThis issue is a bug.
needs-triageThis issue or PR still needs to be triaged.
on Mar 16, 2021
github-actions
added
@aws-cdk/aws-s3Related to Amazon S3
on Mar 16, 2021
github-actions
assigned
iliapolo
on Mar 16, 2021
iliapolo

iliapolo commented on Mar 16, 2021

@iliapolo
iliapolo
on Mar 16, 2021
Contributor

@PhilKershaw Thanks. Yes we recently changed this behavior. We'll fix the docs.

iliapolo
added
documentationThis is a problem with documentation.
p2
effort/smallSmall work item – less than a day of effort
and removed
needs-triageThis issue or PR still needs to be triaged.
bugThis issue is a bug.
on Mar 16, 2021
PhilKershaw

PhilKershaw commented on Mar 16, 2021

@PhilKershaw
PhilKershaw
on Mar 16, 2021
Author

Ah, I was actually hoping for the code to be aligned to the docs. Otherwise, there's no other convenient way to grant PutObjectTagging or any other PutObject* action.

iliapolo

iliapolo commented on Mar 16, 2021

@iliapolo
iliapolo
on Mar 16, 2021
Contributor

@PhilKershaw We decided against using * because it winds up granting PubObjectAcl - which is undesirable in most cases.

You can have a look at this PR for more context.

PhilKershaw

PhilKershaw commented on Mar 16, 2021

@PhilKershaw
PhilKershaw
on Mar 16, 2021
Author

In which case it would be nice to have convenient methods for Tagging etc.. for PutObject like PutObjectAcl - are they on the roadmap? In the meantime, I'll stop being lazy and write the proper policies.

iliapolo

iliapolo commented on Mar 16, 2021

@iliapolo
iliapolo
on Mar 16, 2021
Contributor

We don't currently have a request for those policies. But you are welcome to be the first to make it :)

iliapolo
removed their assignment
on Jun 27, 2021

9 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-s3Related to Amazon S3documentationThis is a problem with documentation.effort/smallSmall work item – less than a day of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @demauk@PhilKershaw@iliapolo@flavioleggio

      Issue actions
        aws-s3: grantPut not working as advertised · Issue #13616 · aws/aws-cdk