elbv2: cannot use load balancer access logs when bucket is encrypted with KMS key #21947
Description
Describe the bug
I am running into almost exactly what is described in this previous issue and similar to this StackOverflow post where I have:
albFargateService.loadBalancer.logAccessLogs(bucket, 'alb-access')And am receiving
8:58:34 AM | UPDATE_FAILED | AWS::ElasticLoadBalancingV2::LoadBalancer | BotAlbFargateServiceLB34
7310A1
Access Denied for bucket: <my-fake-bucket>. Please check S3bucket permission (Service: AmazonElasticL
oadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: e95cece4-c4af-4b8f-a6f1
-d1eb0d2e2778; Proxy: null)
Am I missing an additional piece of configuration for the bucket to enable access logs?
Expected Behavior
Access logs are enabled and emitted to bucket
Current Behavior
Running cdk deploy with the snippet shown in the section above we are presented with what appears to be the correct permissions
IAM Statement Changes
┌───┬──────────────────────┬────────┬──────────────────────┬──────────────────────┬────────────────────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼──────────────────────┼────────┼──────────────────────┼──────────────────────┼────────────────────────┤
│ + │ ${Bucket.Arn} │ Allow │ s3:GetBucketAcl │ Service:delivery.log │ │
│ │ │ │ │ s.amazonaws.com │ │
├───┼──────────────────────┼────────┼──────────────────────┼──────────────────────┼────────────────────────┤
│ + │ ${Bucket.Arn}/elb-ac │ Allow │ s3:Abort* │ AWS:arn:${AWS::Parti │ │
│ │ cess/AWSLogs/1234567 │ │ s3:PutObject │ tion}:iam::123456789 │ │
│ │ 53096/* │ │ s3:PutObjectLegalHol │ 021:root │ │
│ │ │ │ d │ │ │
│ │ │ │ s3:PutObjectRetentio │ │ │
│ │ │ │ n │ │ │
│ │ │ │ s3:PutObjectTagging │ │ │
│ │ │ │ s3:PutObjectVersionT │ │ │
│ │ │ │ agging │ │ │
│ + │ ${Bucket.Arn}/elb-ac │ Allow │ s3:PutObject │ Service:delivery.log │ "StringEquals": { │
│ │ cess/AWSLogs/1234567 │ │ │ s.amazonaws.com │ "s3:x-amz-acl": "buc │
│ │ 53096/* │ │ │ │ ket-owner-full-control │
│ │ │ │ │ │ " │
│ │ │ │ │ │ } │
├───┼──────────────────────┼────────┼──────────────────────┼──────────────────────┼────────────────────────┤
│ + │ ${Bucket/Key.Arn} │ Allow │ kms:Decrypt │ AWS:arn:${AWS::Parti │ │
│ │ │ │ kms:Encrypt │ tion}:iam::123456789 │ │
│ │ │ │ kms:GenerateDataKey* │ 021:root │ │
│ │ │ │ kms:ReEncrypt* │ │ │
└───┴──────────────────────┴────────┴──────────────────────┴──────────────────────┴────────────────────────┘
And we are receiving the following as CDK starts to deploy the changes
8:58:34 AM | UPDATE_FAILED | AWS::ElasticLoadBalancingV2::LoadBalancer | BotAlbFargateServiceLB34
7310A1
Access Denied for bucket: <my-fake-bucket>. Please check S3bucket permission (Service: AmazonElasticL
oadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: e95cece4-c4af-4b8f-a6f1
-d1eb0d2e2778; Proxy: null)
Reproduction Steps
https://github.com/josefaidt/cdk-accesslogs-repro
Our repository and code can be found here https://github.com/aws-amplify/discord-bot/blob/main/cdk/src/components/hey-amplify-app.ts#L250
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.39.1 (build f188fac)
Framework Version
2.39.1
Node.js Version
v18.7.0
OS
macos
Language
Typescript
Language Version
4.8.2
Other information
No response