(pipelines): (ArtifactsBucketB94BC086 missing Allow Policy on cross-region deployments) #28187

nonken · 2023-11-29T16:23:59Z

Describe the bug

I have a pipeline deployed into us-east-1
The pipelines deploys a stage into eu-west-2

When synthesize the pipeline cloudformation template, I am getting the following policy:

{
  "ServiceApiPipelineArtifactsBucketPolicyD1CACCB2": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
      "Bucket": {
        "Ref": "ServiceApiPipelineArtifactsBucketB94BC086"
      },
      "PolicyDocument": {
        "Statement": [
          {
            "Action": "s3:*",
            "Condition": {
              "Bool": {
                "aws:SecureTransport": "false"
              }
            },
            "Effect": "Deny",
            "Principal": {
              "AWS": "*"
            },
            "Resource": [
              {
                "Fn::GetAtt": [
                  "ServiceApiPipelineArtifactsBucketB94BC086",
                  "Arn"
                ]
              },
              {
                "Fn::Join": [
                  "",
                  [
                    {
                      "Fn::GetAtt": [
                        "ServiceApiPipelineArtifactsBucketB94BC086",
                        "Arn"
                      ]
                    },
                    "/*"
                  ]
                ]
              }
            ]
          }
        ],
        "Version": "2012-10-17"
      }
    }
  }

This policy only denies access and subsequently the prepare step fails with s S3 403 error.

Wen I add another stage, in the same region as the pipeline (us-east-1), then I get the correcy policy:

{
  "ServiceApiPipelineArtifactsBucketPolicyD1CACCB2": {
    "Type": "AWS::S3::BucketPolicy",
    "Properties": {
      "Bucket": {
        "Ref": "ServiceApiPipelineArtifactsBucketB94BC086"
      },
      "PolicyDocument": {
        "Statement": [
          {
            "Action": "s3:*",
            "Condition": {
              "Bool": {
                "aws:SecureTransport": "false"
              }
            },
            "Effect": "Deny",
            "Principal": {
              "AWS": "*"
            },
            "Resource": [
              {
                "Fn::GetAtt": [
                  "ServiceApiPipelineArtifactsBucketB94BC086",
                  "Arn"
                ]
              },
              {
                "Fn::Join": [
                  "",
                  [
                    {
                      "Fn::GetAtt": [
                        "ServiceApiPipelineArtifactsBucketB94BC086",
                        "Arn"
                      ]
                    },
                    "/*"
                  ]
                ]
              }
            ]
          },
          {
            "Action": [
              "s3:GetBucket*",
              "s3:GetObject*",
              "s3:List*"
            ],
            "Effect": "Allow",
            "Principal": {
              "AWS": {
                "Fn::Join": [
                  "",
                  [
                    "arn:",
                    {
                      "Ref": "AWS::Partition"
                    },
                    ":iam::ACCOUNT_ID:role/cdk-hnb659fds-deploy-role-ACCOUNT_ID-us-east-1"
                  ]
                ]
              }
            },
            "Resource": [
              {
                "Fn::GetAtt": [
                  "ServiceApiPipelineArtifactsBucketB94BC086",
                  "Arn"
                ]
              },
              {
                "Fn::Join": [
                  "",
                  [
                    {
                      "Fn::GetAtt": [
                        "ServiceApiPipelineArtifactsBucketB94BC086",
                        "Arn"
                      ]
                    },
                    "/*"
                  ]
                ]
              }
            ]
          }
        ],
        "Version": "2012-10-17"
      }
    }
  }

Expected Behavior

I would expect the policy to allow accessing S3 also when just deploying into one other region.

Current Behavior

See above.

Reproduction Steps

See above.

Possible Solution

No response

Additional Information/Context

I tried this with the latest version of the CDK as well to no success.

CDK CLI Version

2.102.0

Framework Version

No response

Node.js Version

18.16

OS

OSX

Language

TypeScript

Language Version

No response

Other information

No response

The text was updated successfully, but these errors were encountered:

nonken · 2023-11-30T13:30:41Z

It looks like I was running into https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.pipelines-readme.html#s3-error-access-denied. Closing

github-actions · 2023-11-30T13:30:59Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

nonken added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 29, 2023

github-actions bot added the @aws-cdk/pipelines CDK Pipelines library label Nov 29, 2023

nonken closed this as completed Nov 30, 2023

github-actions bot mentioned this issue Dec 1, 2023

Monthly Issue metrics report - November 2023 #28211

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(pipelines): (ArtifactsBucketB94BC086 missing Allow Policy on cross-region deployments) #28187

(pipelines): (ArtifactsBucketB94BC086 missing Allow Policy on cross-region deployments) #28187

nonken commented Nov 29, 2023

nonken commented Nov 30, 2023

github-actions bot commented Nov 30, 2023