Skip to content

fix(s3): grantRead does not allow s3:HeadObject#27416

Merged
mergify[bot] merged 3 commits intoaws:mainfrom
lpizzinidev:gh-27389
Oct 11, 2023
Merged

fix(s3): grantRead does not allow s3:HeadObject#27416
mergify[bot] merged 3 commits intoaws:mainfrom
lpizzinidev:gh-27389

Conversation

@lpizzinidev
Copy link
Copy Markdown
Contributor

@lpizzinidev lpizzinidev commented Oct 5, 2023

Fixes the policy enforced by grantRead to allow operations that require to read an object's metadata, for example:

s3 = boto3.client("s3")
# this operation requires s3:HeadObject permission
s3.download_file(bucket, key, filepath)

Closes #27389.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 5, 2023 14:16
@github-actions github-actions Bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Oct 5, 2023
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 5, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@lpizzinidev lpizzinidev changed the title fix(s3): grantRead allow s3:HeadObject fix(s3): grantRead does not allow s3:HeadObject Oct 6, 2023
@lpizzinidev lpizzinidev force-pushed the gh-27389 branch 3 times, most recently from 6f0a25d to bc06577 Compare October 6, 2023 13:01
@lpizzinidev
Copy link
Copy Markdown
Contributor Author

lpizzinidev commented Oct 6, 2023

Exemption Request.
The bucket.grantRead function already has extensive coverage in both unit and functional tests.

@aws-cdk-automation aws-cdk-automation added pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 6, 2023
tmokmss
tmokmss approved these changes Oct 10, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@tmokmss tmokmss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 10, 2023
@vinayak-kukreja vinayak-kukreja added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Oct 11, 2023
vinayak-kukreja
vinayak-kukreja previously approved these changes Oct 11, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@vinayak-kukreja vinayak-kukreja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution. And, thank you @tmokmss for reviewing the PR. :)

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 11, 2023 00:04

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 11, 2023
@mergify mergify Bot dismissed vinayak-kukreja’s stale review October 11, 2023 00:04

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 11, 2023
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Oct 11, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 11, 2023
@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Oct 11, 2023

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: c2e7a2e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify Bot merged commit beac675 into aws:main Oct 11, 2023
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Oct 11, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@sixcorners
Copy link
Copy Markdown

sixcorners commented Oct 11, 2023

Is HeadObject a real action? I think the iam console seems to see s3:HeadObject as an unrecognized action.. Unless I messed something up.

@lpizzinidev
Copy link
Copy Markdown
Contributor Author

lpizzinidev commented Oct 12, 2023

@sixcorners
It seems you're right.
Screenshot 2023-10-12 at 08 15 09
@tmokmss Thoughts?

@tmokmss
Copy link
Copy Markdown
Contributor

tmokmss commented Oct 12, 2023
edited
Loading

@lpizzinidev @sixcorners Hmm, I confirmed that you are right. There's no action named s3:HeadObject (source) and HeadObject API succeeds if GetObject is allowed. So I misunderstood that the 403 error I was getting with the HeadObject was due to lack of IAM permission, but in fact it was because the object with the specified key did not exist and listBucket action was not allowed (source). Sorry for me jumping to a wrong conclusion 🙏 (I believe it's at least not a huge problem because deployment succeeds anyway, isn't it?)

I think we should revert this change. Maybe we can discuss if we should allow listBucket as well, but that's a completely different issue...

@lpizzinidev
Copy link
Copy Markdown
Contributor Author

lpizzinidev commented Oct 12, 2023

@tmokmss Agree.
@vinayak-kukreja This PR should be reverted as it is adding an unrecognized action to the policy.
@sixcorners Thanks for the feedback! 💪

@days-later days-later mentioned this pull request Oct 14, 2023
Closed
@zxkane
Copy link
Copy Markdown
Contributor

zxkane commented Oct 16, 2023
edited
Loading

The unrecoginized s3:HeadObject will break the cfn-lint scan.

kaizencc added a commit that referenced this pull request Oct 16, 2023
@kaizencc
Revert "fix(s3): grantRead does not allow s3:HeadObject (#27416)"
fa7337c 
This reverts commit beac675.
@kaizencc kaizencc mentioned this pull request Oct 16, 2023
Merged
mergify Bot pushed a commit that referenced this pull request Oct 16, 2023
@kaizencc
revert: "fix(s3): grantRead does not allow s3:HeadObject (#27416)" (#…
8dc1c18 
…27556)

This reverts commit beac675.

Comments on #27416 demonstrate that the PR was created due to misunderstanding of an error message.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@MrArnoldPalmer MrArnoldPalmer mentioned this pull request Oct 16, 2023
Closed
MrArnoldPalmer pushed a commit that referenced this pull request Oct 16, 2023
@kaizencc @MrArnoldPalmer
revert: "fix(s3): grantRead does not allow s3:HeadObject (#27416)" (#…
d013677 
…27556)

This reverts commit beac675.

Comments on #27416 demonstrate that the PR was created due to misunderstanding of an error message.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions github-actions Bot mentioned this pull request Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

+2 more reviewers

@tmokmss tmokmss tmokmss approved these changes

@vinayak-kukreja vinayak-kukreja vinayak-kukreja approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/small Small work item – less than a day of effort p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

s3: bucket.grantRead does not allow s3:HeadObject

6 participants

@lpizzinidev @aws-cdk-automation @sixcorners @tmokmss @zxkane @vinayak-kukreja