Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(s3): grantRead does not allow s3:HeadObject #27416

Merged
merged 3 commits into from
Oct 11, 2023
Merged

Conversation

lpizzinidev
Copy link
Contributor

Fixes the policy enforced by grantRead to allow operations that require to read an object's metadata, for example:

s3 = boto3.client("s3")
# this operation requires s3:HeadObject permission
s3.download_file(bucket, key, filepath)

Closes #27389.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 5, 2023 14:16
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Oct 5, 2023
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@lpizzinidev lpizzinidev changed the title fix(s3): grantRead allow s3:HeadObject fix(s3): grantRead does not allow s3:HeadObject Oct 6, 2023
@lpizzinidev lpizzinidev force-pushed the gh-27389 branch 3 times, most recently from 6f0a25d to bc06577 Compare October 6, 2023 13:01
@lpizzinidev
Copy link
Contributor Author

Exemption Request.
The bucket.grantRead function already has extensive coverage in both unit and functional tests.

@aws-cdk-automation aws-cdk-automation added pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 6, 2023
Copy link
Contributor

@tmokmss tmokmss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 10, 2023
@vinayak-kukreja vinayak-kukreja added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Oct 11, 2023
Copy link
Contributor

@vinayak-kukreja vinayak-kukreja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution. And, thank you @tmokmss for reviewing the PR. :)

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 11, 2023 00:04

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 11, 2023
@mergify mergify bot dismissed vinayak-kukreja’s stale review October 11, 2023 00:04

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 11, 2023
@mergify
Copy link
Contributor

mergify bot commented Oct 11, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 11, 2023
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: c2e7a2e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit beac675 into aws:main Oct 11, 2023
@mergify
Copy link
Contributor

mergify bot commented Oct 11, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@sixcorners
Copy link

Is HeadObject a real action? I think the iam console seems to see s3:HeadObject as an unrecognized action.. Unless I messed something up.

@lpizzinidev
Copy link
Contributor Author

@sixcorners
It seems you're right.
Screenshot 2023-10-12 at 08 15 09
@tmokmss Thoughts?

@tmokmss
Copy link
Contributor

tmokmss commented Oct 12, 2023

@lpizzinidev @sixcorners Hmm, I confirmed that you are right. There's no action named s3:HeadObject (source) and HeadObject API succeeds if GetObject is allowed. So I misunderstood that the 403 error I was getting with the HeadObject was due to lack of IAM permission, but in fact it was because the object with the specified key did not exist and listBucket action was not allowed (source). Sorry for me jumping to a wrong conclusion 🙏 (I believe it's at least not a huge problem because deployment succeeds anyway, isn't it?)

I think we should revert this change. Maybe we can discuss if we should allow listBucket as well, but that's a completely different issue...

@lpizzinidev
Copy link
Contributor Author

@tmokmss Agree.
@vinayak-kukreja This PR should be reverted as it is adding an unrecognized action to the policy.
@sixcorners Thanks for the feedback! 💪

@zxkane
Copy link
Contributor

zxkane commented Oct 16, 2023

The unrecoginized s3:HeadObject will break the cfn-lint scan.

kaizencc added a commit that referenced this pull request Oct 16, 2023
mergify bot pushed a commit that referenced this pull request Oct 16, 2023
…27556)

This reverts commit beac675.

Comments on #27416 demonstrate that the PR was created due to misunderstanding of an error message.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
MrArnoldPalmer pushed a commit that referenced this pull request Oct 16, 2023
…27556)

This reverts commit beac675.

Comments on #27416 demonstrate that the PR was created due to misunderstanding of an error message.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/small Small work item – less than a day of effort p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

s3: bucket.grantRead does not allow s3:HeadObject
6 participants