pulumi-aws
pulumi-aws copied to clipboard
Updating ACL on S3 object in bucket that disallows ACLs results in incorrect state
What happened?
Following the AWS getting started tutorial, I was playing with configuring the index.html
file in the bucket. As a simple test, I tried updating the index.html
object's acl
to public-read
without updating the BucketPublicAccessBlock
or BucketOwnershipControls
configuration on the bucket to see an error message. This did result in an error message on the first run of pulumi up
, but subsequent runs succeeded and the state within Pulumi cloud of the index.html
object was updated to have an acl
value of public-read
even though the object's ACL was not updated (as confirmed by running aws s3api get-object-acl
, which shows that the object does not have public read access.
Example
First, run pulumi up
using the following index.js
file to create a bucket and object:
"use strict";
const pulumi = require("@pulumi/pulumi");
const aws = require("@pulumi/aws");
const awsx = require("@pulumi/awsx");
const bucket = new aws.s3.Bucket("my-bucket");
const bucketObject = new aws.s3.BucketObject("index.txt", {
bucket: bucket.id,
source: new pulumi.asset.StringAsset("Hello, world!"),
contentType: "text/plain"
});
Note that within Pulumi cloud, the acl
of index.txt
is set to private
at this point. Then add acl: "public-read"
to the object:
"use strict";
const pulumi = require("@pulumi/pulumi");
const aws = require("@pulumi/aws");
const awsx = require("@pulumi/awsx");
const bucket = new aws.s3.Bucket("my-bucket");
const bucketObject = new aws.s3.BucketObject("index.txt", {
bucket: bucket.id,
source: new pulumi.asset.StringAsset("Hello, world!"),
contentType: "text/plain",
acl: "public-read" // <--- ADD THIS
});
Then run pulumi up
again. This will throw an "update failed" error that looks something like this:
putting S3 Object (index.txt) ACL: operation error S3: PutObjectAcl, https response error StatusCode: 403, RequestID:, HostID: , api error AccessDenied: Access Denied
Even though the operation failed, the acl
of the index.txt
object in Pulumi cloud will be set to public-read
. Moreover, subsequent runs of pulumi up
will succeed without errors. A pulumi refresh
also shows no changes.
Output of pulumi about
CLI
Version 3.106.0
Go Version go1.22.0
Go Compiler gc
Plugins
NAME VERSION
aws 6.22.2
awsx 2.5.0
docker 4.5.1
docker 3.6.1
nodejs 18.16.0
Host
OS darwin
Version 12.5
Arch arm64
Dependencies:
NAME VERSION
@pulumi/aws 6.22.2
@pulumi/awsx 2.5.0
@pulumi/pulumi 3.106.0
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Hi @summera. Thanks for taking the time to check out Pulumi and for filing an issue when something didn't work as expected.