Daniel Gato
01/24/2022, 9:40 AMupload failed: ../../tmp/tmpt2vmrmzx/contents/file.txt to <s3://dg-imac-xxx-storage-bucket970c6ada-1gfwpc3jg5cbd/public/demo/file.txt> An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
I’m using
new s3deploy.BucketDeployment(this, 'DeployDemoXxx', {
sources: [s3deploy.Source.asset('./src/deployments/demo/')],
exclude: ['*'],
include: ['*.txt'],
destinationKeyPrefix: 'public/demo/',
destinationBucket: bucket.s3Bucket,
accessControl: 'PublicRead',
contentType: 'plain/text',
});
Could that be from because of the upgrade to CDK v2 perhaps?Frank
Frank
sst build
, and then open up the template.json inside .build/cdk.out
. Do you see an AWS::IAM::Role
resource with s3:PuObject
permission?Daniel Gato
01/25/2022, 8:02 AMDaniel Gato
01/25/2022, 8:08 AM{
"Resources": {
"SSTMetadata": {
"Type": "AWS::CDK::Metadata",
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/SSTMetadata",
"sst:version": "0.59.1",
"sst:constructs": []
}
},
"DeployDemoJsonAwsCliLayerD7448C3D": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"Content": {
"S3Bucket": "cdk-hnb659fds-assets-855659027122-eu-north-1",
"S3Key": "e9882ab123687399f934da0d45effe675ecc8ce13b40cb946f3e1d6141fe8d68.zip"
},
"Description": "/opt/awscli/aws"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/DeployDemoJson/AwsCliLayer/Resource",
"aws:asset:path": "asset.e9882ab123687399f934da0d45effe675ecc8ce13b40cb946f3e1d6141fe8d68.zip",
"aws:asset:is-bundled": false,
"aws:asset:property": "Content"
}
},
"DeployDemoJsonCustomResourceC4D96F0E": {
"Type": "Custom::CDKBucketDeployment",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536",
"Arn"
]
},
"SourceBucketNames": [
"cdk-hnb659fds-assets-855659027122-eu-north-1"
],
"SourceObjectKeys": [
"b7e8017cf854483f67d12a7dd9d84f74031409618e8596e279f00cab575b18f5.zip"
],
"DestinationBucketName": {
"Fn::ImportValue": "dg-imac-xxx-storage:ExportsOutputRefModelsBucket970C6ADACD092BA1"
},
"DestinationBucketKeyPrefix": "public/demo/",
"Prune": true,
"Exclude": [
"*"
],
"Include": [
"*.json"
],
"SystemMetadata": {
"content-type": "application/json",
"acl": "public-read"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/DeployDemoJson/CustomResource/Default"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
],
"Tags": [
{
"Key": "sst:app",
"Value": "xxx"
},
{
"Key": "sst:stage",
"Value": "dg-imac"
}
]
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::cdk-hnb659fds-assets-855659027122-eu-north-1"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::cdk-hnb659fds-assets-855659027122-eu-north-1/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::ImportValue": "dg-imac-xxx-storage:ExportsOutputFnGetAttModelsBucket970C6ADAArnC12F88E2"
},
{
"Fn::Join": [
"",
[
{
"Fn::ImportValue": "dg-imac-xxx-storage:ExportsOutputFnGetAttModelsBucket970C6ADAArnC12F88E2"
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF",
"Roles": [
{
"Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265"
}
]
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-855659027122-eu-north-1",
"S3Key": "e3d9996b6fafcc7da88312672e15e3cc925b02cffc6f01a615d81f22303e3ae0.zip"
},
"Role": {
"Fn::GetAtt": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265",
"Arn"
]
},
"Handler": "index.handler",
"Layers": [
{
"Ref": "DeployDemoJsonAwsCliLayerD7448C3D"
}
],
"Runtime": "python3.7",
"Tags": [
{
"Key": "sst:app",
"Value": "xxx"
},
{
"Key": "sst:stage",
"Value": "dg-imac"
}
],
"Timeout": 900
},
"DependsOn": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF",
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource",
"aws:asset:path": "asset.e3d9996b6fafcc7da88312672e15e3cc925b02cffc6f01a615d81f22303e3ae0",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code"
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
Daniel Gato
01/25/2022, 8:10 AMPutObject
in CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF
Daniel Gato
01/25/2022, 8:12 AMDaniel Gato
01/26/2022, 2:40 PMIt seems the s3deploy lambda function does not have IAM permission to upload to S3.I don’t have access to the function here, I’m passing it to the Deployment directly.
Daniel Gato
01/26/2022, 3:50 PMJay
Daniel Gato
02/07/2022, 7:49 AMthis.bucket.s3Bucket.grantPut(new iam.AnyPrincipal());
this.bucket.s3Bucket.grantPutAcl(new iam.AnyPrincipal());
If you have better I take it 🙂Jay
Frank
Frank
Daniel Gato
02/24/2022, 11:00 AMFrank
Frank
Frank
Daniel Gato
03/01/2022, 8:36 AMDaniel Gato
03/01/2022, 8:38 AMthis.bucket.s3Bucket.grantPut(new AnyPrincipal());
this.bucket.s3Bucket.grantPutAcl(new AnyPrincipal());
Then it adds the the right roles/permissionsFrank