Skip to content

Commit beac675

Browse files
lpizzinidevlpizzinidev
authored
fix(s3): grantRead does not allow s3:HeadObject (#27416)
Fixes the policy enforced by `grantRead` to allow operations that require to read an object's metadata, for example: ``` s3 = boto3.client("s3") # this operation requires s3:HeadObject permission s3.download_file(bucket, key, filepath) ``` Closes #27389. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 3fc86ca commit beac675

124 files changed

Lines changed: 299 additions & 14 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.asset-build-spec.js.snapshot/CodeBuildAssetBuildSpecStack.template.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
"Action": [
2727
"s3:GetBucket*",
2828
"s3:GetObject*",
29+
"s3:HeadObject",
2930
"s3:List*"
3031
],
3132
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.caching.js.snapshot/aws-cdk-codebuild.template.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
"s3:DeleteObject*",
3434
"s3:GetBucket*",
3535
"s3:GetObject*",
36+
"s3:HeadObject",
3637
"s3:List*",
3738
"s3:PutObject",
3839
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-bucket.js.snapshot/aws-cdk-codebuild.template.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
"Action": [
3232
"s3:GetBucket*",
3333
"s3:GetObject*",
34+
"s3:HeadObject",
3435
"s3:List*"
3536
],
3637
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-buildspec-artifacts.js.snapshot/aws-cdk-codebuild-buildspec-artifact-name.template.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
"s3:DeleteObject*",
3434
"s3:GetBucket*",
3535
"s3:GetObject*",
36+
"s3:HeadObject",
3637
"s3:List*",
3738
"s3:PutObject",
3839
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-secondary-sources-artifacts.js.snapshot/aws-cdk-codebuild-secondary-sources-artifacts.template.json

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
"Action": [
3232
"s3:GetBucket*",
3333
"s3:GetObject*",
34+
"s3:HeadObject",
3435
"s3:List*"
3536
],
3637
"Effect": "Allow",
@@ -63,6 +64,7 @@
6364
"s3:DeleteObject*",
6465
"s3:GetBucket*",
6566
"s3:GetObject*",
67+
"s3:HeadObject",
6668
"s3:List*",
6769
"s3:PutObject",
6870
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/server/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-server-dg.template.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -445,6 +445,7 @@
445445
"Action": [
446446
"s3:GetBucket*",
447447
"s3:GetObject*",
448+
"s3:HeadObject",
448449
"s3:List*"
449450
],
450451
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/cloudformation/integ.stacksets.js.snapshot/StackSetPipelineStack.template.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,7 @@
170170
"s3:DeleteObject*",
171171
"s3:GetBucket*",
172172
"s3:GetObject*",
173+
"s3:HeadObject",
173174
"s3:List*",
174175
"s3:PutObject",
175176
"s3:PutObjectLegalHold",
@@ -392,6 +393,7 @@
392393
"Action": [
393394
"s3:GetBucket*",
394395
"s3:GetObject*",
396+
"s3:HeadObject",
395397
"s3:List*"
396398
],
397399
"Effect": "Allow",
@@ -556,6 +558,7 @@
556558
"Action": [
557559
"s3:GetBucket*",
558560
"s3:GetObject*",
561+
"s3:HeadObject",
559562
"s3:List*"
560563
],
561564
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.js.snapshot/aws-cdk-codepipeline-cloudformation.template.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,7 @@
158158
"s3:DeleteObject*",
159159
"s3:GetBucket*",
160160
"s3:GetObject*",
161+
"s3:HeadObject",
161162
"s3:List*",
162163
"s3:PutObject",
163164
"s3:PutObjectLegalHold",
@@ -433,6 +434,7 @@
433434
"s3:DeleteObject*",
434435
"s3:GetBucket*",
435436
"s3:GetObject*",
437+
"s3:HeadObject",
436438
"s3:List*",
437439
"s3:PutObject",
438440
"s3:PutObjectLegalHold",
@@ -558,6 +560,7 @@
558560
"Action": [
559561
"s3:GetBucket*",
560562
"s3:GetObject*",
563+
"s3:HeadObject",
561564
"s3:List*"
562565
],
563566
"Effect": "Allow",
@@ -668,6 +671,7 @@
668671
"Action": [
669672
"s3:GetBucket*",
670673
"s3:GetObject*",
674+
"s3:HeadObject",
671675
"s3:List*"
672676
],
673677
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.js.snapshot/PipelineStack.template.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@
152152
"s3:DeleteObject*",
153153
"s3:GetBucket*",
154154
"s3:GetObject*",
155+
"s3:HeadObject",
155156
"s3:List*",
156157
"s3:PutObject",
157158
"s3:PutObjectLegalHold",
@@ -497,6 +498,7 @@
497498
"s3:DeleteObject*",
498499
"s3:GetBucket*",
499500
"s3:GetObject*",
501+
"s3:HeadObject",
500502
"s3:List*",
501503
"s3:PutObject",
502504
"s3:PutObjectLegalHold",
@@ -614,6 +616,7 @@
614616
"s3:DeleteObject*",
615617
"s3:GetBucket*",
616618
"s3:GetObject*",
619+
"s3:HeadObject",
617620
"s3:List*",
618621
"s3:PutObject",
619622
"s3:PutObjectLegalHold",
@@ -923,6 +926,7 @@
923926
"Action": [
924927
"s3:GetBucket*",
925928
"s3:GetObject*",
929+
"s3:HeadObject",
926930
"s3:List*"
927931
],
928932
"Effect": "Allow",
@@ -1031,6 +1035,7 @@
10311035
"Action": [
10321036
"s3:GetBucket*",
10331037
"s3:GetObject*",
1038+
"s3:HeadObject",
10341039
"s3:List*"
10351040
],
10361041
"Effect": "Allow",
@@ -1347,6 +1352,7 @@
13471352
"s3:DeleteObject*",
13481353
"s3:GetBucket*",
13491354
"s3:GetObject*",
1355+
"s3:HeadObject",
13501356
"s3:List*",
13511357
"s3:PutObject",
13521358
"s3:PutObjectLegalHold",
@@ -1558,6 +1564,7 @@
15581564
"s3:DeleteObject*",
15591565
"s3:GetBucket*",
15601566
"s3:GetObject*",
1567+
"s3:HeadObject",
15611568
"s3:List*",
15621569
"s3:PutObject",
15631570
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-pipeline.js.snapshot/aws-cdk-codepipeline-lambda.template.json

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@
152152
"s3:DeleteObject*",
153153
"s3:GetBucket*",
154154
"s3:GetObject*",
155+
"s3:HeadObject",
155156
"s3:List*",
156157
"s3:PutObject",
157158
"s3:PutObjectLegalHold",
@@ -360,6 +361,7 @@
360361
"Action": [
361362
"s3:GetBucket*",
362363
"s3:GetObject*",
364+
"s3:HeadObject",
363365
"s3:List*"
364366
],
365367
"Effect": "Allow",

0 commit comments

Comments
 (0)