(aws-cloudfront-origins): Enable S3 versioned access for OAC

[matthiasgubler]

Describe the feature

By calling S3BucketOrigin.withOriginAccessControl the access-levels only allow for adding for the bucket action s3:GetObject but there is no way to easily add s3:GetObjectVersion. In order to get that, the bucket permissions must be extended manually.

There should be a way to extend the access levels, have a way to manually extend required actions or set a flag to enable versioned access.

Use Case

I created an S3 origin with OAC to provide a signed url and allow the versionId to be passed, so the user can download a specific object version. I needed to extend the bucket permission manually, by adding the action 's3:GetObjectVersion' for the distributionId.

Proposed Solution

I see three possible solutions:

• Extend the enum AccessLevel to have a READ_VERSIONED
• Add a way, to extend the policy per OAC by passing a list of actions
• Have a flag versioned in the properties on creating the OAC

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.167.1

Environment details (OS name and version, etc.)

MacOS

[pahud]

Makes sense to me. We welcome the PRs and let address this issue from there.

[matthiasgubler]

@pahud My PR is open for some time now but has a failing check:
https://github.com/aws/aws-cdk/pull/33038/checks?check_run_id=35978077931

This is in some generated code for the integration tests. I deleted all the generated assets, ensured using all the newest versions and regenerated everything, however there was no change to the asset that causes issues. Is there someone who could help me getting this fixed and moved forward?

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.