By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is it possible to deploy from GitHub to S3 private bucket with public access disabled?

0

Hello,

I have spent almost a day in finding the solution to make it work, but all the threads in internet related this topic have only S3 public configuration with completely opened (or partitialy opened) public access to S3. But in our case we are going to store there some private files and we want to keep it secure. But from another side we use this s3 bucket for our Next.js app and cloudfront permissions to read from there. S3 bucket policy looks like this:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::some-bucket.here/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::{AWS_ACCOUNT}:distribution/{CLOUDFONT_ID}
                }
            }
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::some-bucket.here/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceArn": [
                        "aws:SourceArn\": \"arn:aws:iam::{AWS_ACCOUNT}:role/github",
                        "arn:aws:iam::{AWS_ACCOUNT}:oidc-provider/token.actions.githubusercontent.com"
                    ]
                }
            }
        }
    ]
}

Bucket object ownership: ACL enabled

Cloudfront works fine, but github via granted full permissions to OIDC provider role can not deploy to private S3 bucket and i get all the time an error: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied but it works fine if to remove the checkmarks from acl in "bucket public access" (new, any list ACL`s).

And even if to run the next command locally (with AWS account configured with AWS admin permissions) i can not see the bucket objects when it is publickly blocked: aws s3 ls s3://some-bucket.here/ --no-sign-request and get the following error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

Please help to find the workaround or at least advise if it is possible in general (such kind of deployment). Thanks.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
kostyanius
asked 7 months ago472 views
1 Answer
0
Accepted Answer

Firstly I’d never use this in a policy unless you really mean it "Principal": "*",

You should remove the condition from the statement and place the role arn of the what the oidc uses in the principal section overwriting the asterisk.

In your GitHub actions you define your role to assume etc role-to-assume: arn:aws:iam::1234567890:role/example-role

eg

- name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: arn:aws:iam::1234567890:role/example-role
          role-session-name: samplerolesession
          aws-region: ${{ env.AWS_REGION }}
      # Upload a file to AWS s3
      - name:  Copy index.html to s3
        run: |
          aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/

Use this role in the Principal on the bucket policy and remove the conditions.

Also can you confirm what your encryption settings are on the bucket.

eg.. Notice I have the bucket and bucket objects also defined on the resource

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::some-bucket.here/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::{AWS_ACCOUNT}:distribution/{CLOUDFONT_ID}
                }
            }
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                    "AWS": ["arn:aws:iam::{AWS_ACCOUNT}:role/example-role"]
              },
            "Action": "s3:*",
            "Resource": ["arn:aws:s3:::some-bucket.here/*",
              "arn:aws:s3:::some-bucket.here"],
        }
    ]
}
profile picture
EXPERT
Gary Mclean
answered 7 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 7 months ago
  • kostyanius
    7 months ago

    Thanks I have tried this solution and modified the policy like in example above: but still getting the same error: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied Only terrible workaround i found is to remove acl`s before deployment and add it back when it is completed. Like this: aws s3api put-public-access-block --bucket some-bucket.here --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=true,RestrictPublicBuckets=true and return it back: aws s3api put-public-access-block --bucket some-bucket.here --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true But deployment lasts around several minutes. During that time some one could be able to download all the files from the s3 bucket if he/she knows the name. Minimal proxibility, but still possible to do it if to keep long running job. Any other ideas how it could be solved in a better way? Thanks in advance.

    UPDATE: Looks like issue was in this last bucket public permissions parameter: Block public access to buckets and objects granted through new access control lists (ACLs) If to turn it off then deployment is passing ok and objects and s3 bucket remains still not public during all the time of it. Result is acceptable. Thanks, Gary. :)

  • Gary Mclean EXPERT
    7 months ago

    There should be no reason for you to be changing settings all the time. There’s no reason why block public cant remain enabled because you are using a IAM to access to bucket. AWS also states and recommend ACLs to be disabled.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content