provider-aws icon indicating copy to clipboard operation
provider-aws copied to clipboard

Published 20 hours ago verified publisher icon crossplane-contrib

S3 DeleteBucketOwnershipControls is needed for Observe

Open bbung opened this issue 2 years ago • 2 comments

What happened?

  • Update from 0.27.1 to 0.29.0
  • IAM Policy are tied down as much as possible.

After the Update we do get a DEBUG Messages that "Observe" gets an AccessDenied Error because of the missing Permission "s3:DeleteBucketOwnershipControls". Why does observe needs this permission? We do not use the new flag introduced with #1075 and in my opinion this should work without the permission. Log: 1.6578632964596574e+09 DEBUG provider-aws Cannot observe external resource {"controller": "managed/bucket.s3.aws.crossplane.io", "request": " │ │ /a-test-bucket", "uid": "2f4731cd-f781-478e-8488-", "version": "17407", "external-name": "a-test-bucket │ │ ", "error": "operation error S3: DeleteBucketOwnershipControls, https response error StatusCode: 403, RequestID: 5KC6YXFE558TAA, HostID: xFjV/gYAxgLh │ │ .. , api error AccessDenied: Access Denied"}

How can we reproduce it?

Remove the DeleteBucketOwnershipControls from your crossplane IAM Policy and try to update to 0.29.0 or simply try to provision a s3 bucket.

What environment did it happen in?

Crossplane version:

EKS 1.21 Crossplane 1.8.1 Crossplane AWS Provider 0.29.0

Thanks for looking into it.

bbung avatar Jul 15 '22 05:07 bbung

I know ACLs are handled in Observe, as the API is not symmetric. It's not possible to get the ACL back in the same format as they are written in.

But I'm not sure if this means DeleteBucketOwnershipControls should be called Observe too, could we do a Get in observe and then return a proper IsUpToDate value and handle any changes in Update instead, @antoninbas ?

chlunde avatar Aug 08 '22 19:08 chlunde

@chlunde I just "copied" what was done for ACLs when I implemented that.

I am not very familiar with the crossplane controller framework, but I imagine that what you are describing can be implemented with GetBucketOwnershipControls, which should return the current configuration in the same format as what was provided when calling PutBucketOwnershipControls.

antoninbas avatar Aug 08 '22 19:08 antoninbas

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

github-actions[bot] avatar Aug 23 '23 01:08 github-actions[bot]