pulumi-aws icon indicating copy to clipboard operation
pulumi-aws copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Updating ACL on S3 object in bucket that disallows ACLs results in incorrect state

Open summera opened this issue 4 months ago • 1 comments

What happened?

Following the AWS getting started tutorial, I was playing with configuring the index.html file in the bucket. As a simple test, I tried updating the index.html object's acl to public-read without updating the BucketPublicAccessBlock or BucketOwnershipControls configuration on the bucket to see an error message. This did result in an error message on the first run of pulumi up, but subsequent runs succeeded and the state within Pulumi cloud of the index.html object was updated to have an acl value of public-read even though the object's ACL was not updated (as confirmed by running aws s3api get-object-acl, which shows that the object does not have public read access.

Example

First, run pulumi up using the following index.js file to create a bucket and object:

"use strict";
const pulumi = require("@pulumi/pulumi");
const aws = require("@pulumi/aws");
const awsx = require("@pulumi/awsx");

const bucket = new aws.s3.Bucket("my-bucket");

const bucketObject = new aws.s3.BucketObject("index.txt", {
  bucket: bucket.id,
  source: new pulumi.asset.StringAsset("Hello, world!"),
  contentType: "text/plain"
});

Note that within Pulumi cloud, the acl of index.txt is set to private at this point. Then add acl: "public-read" to the object:

"use strict";
const pulumi = require("@pulumi/pulumi");
const aws = require("@pulumi/aws");
const awsx = require("@pulumi/awsx");

const bucket = new aws.s3.Bucket("my-bucket");

const bucketObject = new aws.s3.BucketObject("index.txt", {
  bucket: bucket.id,
  source: new pulumi.asset.StringAsset("Hello, world!"),
  contentType: "text/plain",
  acl: "public-read" // <--- ADD THIS
});

Then run pulumi up again. This will throw an "update failed" error that looks something like this:

putting S3 Object (index.txt) ACL: operation error S3: PutObjectAcl, https response error StatusCode: 403, RequestID:, HostID: , api error AccessDenied: Access Denied

Even though the operation failed, the acl of the index.txt object in Pulumi cloud will be set to public-read. Moreover, subsequent runs of pulumi up will succeed without errors. A pulumi refresh also shows no changes.

Output of pulumi about

CLI
Version      3.106.0
Go Version   go1.22.0
Go Compiler  gc

Plugins
NAME    VERSION
aws     6.22.2
awsx    2.5.0
docker  4.5.1
docker  3.6.1
nodejs  18.16.0

Host
OS       darwin
Version  12.5
Arch     arm64

Dependencies:
NAME            VERSION
@pulumi/aws     6.22.2
@pulumi/awsx    2.5.0
@pulumi/pulumi  3.106.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

summera avatar Feb 18 '24 00:02 summera

Hi @summera. Thanks for taking the time to check out Pulumi and for filing an issue when something didn't work as expected.

iwahbe avatar Feb 20 '24 09:02 iwahbe