Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

s3:PutPublicAccessBlock Access Denied #124

Open
ngocsanguit opened this issue Mar 31, 2023 · 4 comments
Open

s3:PutPublicAccessBlock Access Denied #124

ngocsanguit opened this issue Mar 31, 2023 · 4 comments

Comments

@ngocsanguit
Copy link

Thank you team for the great Matano!
When I deploy it I got this error

The stack named CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: API:
 ›   s3:PutPublicAccessBlock Access Denied

So will the Matano setup create a public s3 bucket/objects? How can we change it only to create in non-public s3?

@Samrose-Ahmed
Copy link
Contributor

Thanks Sang!

So this error is occurring in the CDK bootstrap process, the bucket is not public, it is actually the opposite; its being set as explicitly not public.

The error is occurring due to your organizations policy blocking any usage of the s3:PutPublicAccessBlock action (see the following issue: aws/aws-cdk#5028 (comment)).

There is a CDK optioon: --public-access-block-configuration false for the CDK bootstrap command to not explicitly set the public access block configuration.

We also use the block public access inside our own code for internal buckets, e.g.

blockPublicAccess: BlockPublicAccess.BLOCK_ALL,

Amazon S3 announced that all new S3 buckets will have Block Public Access enabled by default, at which point we can safely remove these explicit configurations. However, the change will be rolled out in April 2023 (not yet) (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-faq.html).

Can you possibly change your organization policy to allow usage of the s3:PutPublicAccessBlock action?

@ngocsanguit
Copy link
Author

Thank you for the prompt response Samrose. Because PutPublicAccessBlock will allow making an S3 bucket public so it's blocked by our policy. Is there any way that I can remove this explicit setting from the code and run without using PutPublicAccessBlock?

@Samrose-Ahmed
Copy link
Contributor

I understand, we can add a config option in matano.config.yml for this and then make a code change in infrastructure to only add the public access block configuration explicitly if the matano configuration tells us to. I can make this change, should be simple.

Samrose-Ahmed added a commit to Samrose-Ahmed/matano that referenced this issue Apr 4, 2023
Unblocks users who have org policies preventing usage of
s3:PutPublicAccessBlock API (matanolabs#124).

Signed-off-by: 🐼 Samrose Ahmed 🐼 <[email protected]>
Samrose-Ahmed added a commit to Samrose-Ahmed/matano that referenced this issue Apr 4, 2023
Unblocks users who have org policies preventing usage of
s3:PutPublicAccessBlock API (matanolabs#124).

Signed-off-by: 🐼 Samrose Ahmed 🐼 <[email protected]>
@Samrose-Ahmed
Copy link
Contributor

I've created a change #125, once its merged and released, you should be able to unblock yourself by just setting aws.set_block_public_access as false in matano.config.yml e.g.

# matano.config.yml

aws:
  account: "123456789012"
  region: "us-east-1"
  set_block_public_access: false

Samrose-Ahmed added a commit that referenced this issue Apr 4, 2023
Unblocks users who have org policies preventing usage of
s3:PutPublicAccessBlock API (#124).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants