1 Answer
- Newest
- Most votes
- Most comments
0
Firstly I’d never use this in a policy unless you really mean it "Principal": "*",
You should remove the condition from the statement and place the role arn of the what the oidc uses in the principal section overwriting the asterisk.
In your GitHub actions you define your role to assume etc role-to-assume: arn:aws:iam::1234567890:role/example-role
eg
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::1234567890:role/example-role
role-session-name: samplerolesession
aws-region: ${{ env.AWS_REGION }}
# Upload a file to AWS s3
- name: Copy index.html to s3
run: |
aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/
Use this role in the Principal on the bucket policy and remove the conditions.
Also can you confirm what your encryption settings are on the bucket.
eg.. Notice I have the bucket and bucket objects also defined on the resource
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-bucket.here/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::{AWS_ACCOUNT}:distribution/{CLOUDFONT_ID}
}
}
},
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::{AWS_ACCOUNT}:role/example-role"]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::some-bucket.here/*",
"arn:aws:s3:::some-bucket.here"],
}
]
}
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thanks I have tried this solution and modified the policy like in example above: but still getting the same error:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Only terrible workaround i found is to remove acl`s before deployment and add it back when it is completed. Like this:aws s3api put-public-access-block --bucket some-bucket.here --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=true,RestrictPublicBuckets=true
and return it back:aws s3api put-public-access-block --bucket some-bucket.here --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
But deployment lasts around several minutes. During that time some one could be able to download all the files from the s3 bucket if he/she knows the name. Minimal proxibility, but still possible to do it if to keep long running job. Any other ideas how it could be solved in a better way? Thanks in advance.UPDATE: Looks like issue was in this last bucket public permissions parameter:
Block public access to buckets and objects granted through new access control lists (ACLs)
If to turn it off then deployment is passing ok and objects and s3 bucket remains still not public during all the time of it. Result is acceptable. Thanks, Gary. :)There should be no reason for you to be changing settings all the time. There’s no reason why block public cant remain enabled because you are using a IAM to access to bucket. AWS also states and recommend ACLs to be disabled.