aws-cdk s3:PutBucketPolicy Access Denied when deploying bucket with public read access

Asked 8/5, 2019 at 17:5 Answered 10/5 at 10:48

I am trying to set up a static website using an S3 bucket using the cdk. However, when I deploy the stack I receive the error API: s3:PutBucketPolicy Access Denied. The CLI user I am using has administrator permissions.

I have tried to manually create a bucket with the "Static website hosting" property configured, but when I add the following bucket policy, I receive an Access denied error, even though I am the root user.

 {
  "Id": "PolicyId",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Sid",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::BUCKET_NAME",
      "Principal": "*"
    }
  ]
}

Something similar to here.

I have deselected all the public access settings like is suggested - but I still receive an access denied.

I believe the problem when deploying the cdk code may be related to the problem when creating the bucket manually, but I don't know how to debug it.

Emissary answered 8/5, 2019 at 17:5 Comment(1)

I had a very similar issue which I posted here: #61145298 I was able to "resolve" it by updating to the latest version of CDK (1.32.2). It seems there have been some IAM changes that must've fixed this. – Partitive 13/4, 2020 at 14:13

In April 2023 AWS must have changed bucket defaults, a fix for AWS CDK projects would be adding blockPublicAccess together with accessControl props as follows:

import { BlockPublicAccess, BucketAccessControl } from "aws-cdk-lib/aws-s3"; ....

// Content bucket
const bucket = new s3.Bucket(this, "Bucket", {
  ...
  blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
  accessControl: BucketAccessControl.BUCKET_OWNER_FULL_CONTROL,

Flyn answered 27/4, 2023 at 15:37 Comment(2)

Thank you so much. I had the problem you described and your solution fixed my problem. – Nigritude 23/5, 2023 at 22:34

Thank you. It took me half of the morning to find out the problem. – Exudate 20/6, 2023 at 2:19

For folks struggling with this error using aws-cdk and already existing bucket:

Take a look if you are not trying to modify bucket policy when you have set "blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL" in Bucket properties.

You have to turn it off or remove that property if you want to modify the policy. After deploying (modifying) policy you can set the blockPublicAccess property back again.

Statesman answered 7/11, 2022 at 12:11 Comment(0)

Try this

bucket = s3.Bucket(
        self,
        "WebsiteBucket",
        block_public_access=s3.BlockPublicAccess(
          block_public_acls=False,
          block_public_policy=False,
          ignore_public_acls=False,
          restrict_public_buckets=False
        ),
        public_read_access=True,
        website_index_document="index.html",
        website_error_document="error.html",
        enforce_ssl=True
    )

Athal answered 10/5 at 10:48 Comment(0)

-1

This worked for me:

        //Create the web bucket and give it public read access
        this.webBucket = new Bucket(this, 'WebBucket', {
            websiteIndexDocument: 'index.html',
            publicReadAccess: true
        });

        //Deploy the frontend to the to the web bucket
        new BucketDeployment(this, 'DeployFrontend', {
            source: Source.asset('../ui/dist'),
            destinationBucket: this.webBucket
        });

Also, make sure the "Block public access (account settings)" is turned off in the S3 Console.

Jijib answered 2/8, 2019 at 19:22 Comment(0)

Recommended topics

Hot tags