Skip to content

aws-s3: grantPut not working as advertised #13616

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#18494
Closed
aws-s3: grantPut not working as advertised#13616
#18494
Labels
@aws-cdk/aws-s3Related to Amazon S3documentationThis is a problem with documentation.effort/smallSmall work item – less than a day of effortp2
@PhilKershaw

Description

@PhilKershaw
PhilKershaw
opened on Mar 16, 2021

The grantPut method documentation reads:

Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.

If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

Reproduction Steps

const function = new lambda.Function(this, "FunkyTown", {...});
const bucket = new s3.Bucket(this, "AWholeLotOfBucket");
bucket.grantPut(function);

What did you expect to happen?

To add action s3:PutObject* thus:

Action:
  - s3:PutObject*
  - s3:Abort*
Effect: Allow
Resource:
  Fn::Join:
    - ""
    - - Fn::GetAtt:
          - AWholeLotOfBucketA765543B
          - Arn
      - /*

What actually happened?

Action:
  - s3:PutObject
  - s3:Abort*
Effect: Allow
Resource:
  Fn::Join:
    - ""
    - - Fn::GetAtt:
          - AWholeLotOfBucketA765543B
          - Arn
      - /*

Environment

  • **CDK CLI Version : 1.93.0
  • **Framework Version: 1.93.0
  • **Node.js Version: v14.16.0
  • **OS : Amazon Linux release 2 (Karoo)
  • **Language (Version): 3.9.9

Other

Link to docs: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html#grantwbrputidentity-objectskeypattern
Link to original PR: #591

This is 🐛 Bug Report

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-s3Related to Amazon S3documentationThis is a problem with documentation.effort/smallSmall work item – less than a day of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions