community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon aws-controllers-k8s

s3control-controller\Add access point policy support

Open simon-torrez-al opened this issue 9 months ago • 6 comments

Hello, i'm using s3control-controller to manage s3 access point

apiVersion: s3control.services.k8s.aws/v1alpha1
kind: AccessPoint
metadata:
  name: my-s3-access-point
  namespace: default
spec:
  accountID: '123456789'
  bucket: my-bucket-name
  bucketAccountID: '123456789'
  name: my-access-point-name
  publicAccessBlockConfiguration:
    blockPublicACLs: true
    blockPublicPolicy: true
    ignorePublicACLs: true
    restrictPublicBuckets: true

Today, it's not possible to manage the access point policy for this s3 access point. Is it possible to implement this property ?

My solution would be to add a property named '' accessPointPolicyDocument" accepting a json formated document, like:

apiVersion: s3control.services.k8s.aws/v1alpha1
kind: AccessPoint
metadata:
  name: my-s3-access-point
  namespace: default
spec:
  accountID: '123456789'
  bucket: my-bucket-name
  bucketAccountID: '123456789'
  name: my-access-point-name
  publicAccessBlockConfiguration:
    blockPublicACLs: true
    blockPublicPolicy: true
    ignorePublicACLs: true
    restrictPublicBuckets: true
    policyDocument: >-
      {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789:role/my-authorized-role"},"Action": ["s3:ListBucket","s3:GetObject","s3:PutObject"],"Resource": ["arn:aws:s3:my-aws-region:123456789:accesspoint/my-access-point-name","arn:aws:s3:my-aws-region:123456789:accesspoint/my-access-point-name/my/specific/path/*"]}]}

Thanks for your help on this !

simon-torrez-al avatar Mar 19 '25 11:03 simon-torrez-al

Hello @simon-torrez-al 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

github-actions[bot] avatar Mar 19 '25 11:03 github-actions[bot]

Hi @simon-torrez-al , I see the AccessPointPolicy has a Put, Get and Delete method here

We can support the controller by generation the new resource with the code generator. Just generate the controller after updating the generator similar to route53 recordset here.

rushmash91 avatar Mar 19 '25 17:03 rushmash91

Hi @rushmash91 ,

Thanks a lot for your message, I'll have a look and verify that I'm able to manage this change. I'm not sure of all the implications this modification would need.

simon-torrez-al avatar Mar 19 '25 18:03 simon-torrez-al

Sure! You would need to fork and clone the Code-generator, runtime and s3control-controller repo, update the generator and build the controller: https://aws-controllers-k8s.github.io/community/docs/contributor-docs/building-controller/

Let me know if you run into any issues!

rushmash91 avatar Mar 19 '25 18:03 rushmash91

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Sep 15 '25 22:09 ack-bot

Stale issues rot after 60d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 60d of inactivity. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle rotten

ack-bot avatar Nov 14 '25 23:11 ack-bot