Aws-cdk: Access denied when adding an event notification to an existing s3 bucket

Created on 16 Jul 2019  路  4Comments  路  Source: aws/aws-cdk

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

  • I'm submitting a ...

    • [x] :beetle: bug report

  • What is the current behavior?
    Say we deployed the following stack with just a S3 bucket:

import cdk = require('@aws-cdk/core');
import s3 = require('@aws-cdk/aws-s3');

export class Test1Stack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const bucket = new s3.Bucket(this, 'test-bucket');
  }
}

Now we extends this stack with the following code to add an event notification:

import cdk = require('@aws-cdk/core');
import s3 = require('@aws-cdk/aws-s3');
import sns = require('@aws-cdk/aws-sns');
import * as s3n from '@aws-cdk/aws-s3-notifications';

export class Test1Stack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const bucket = new s3.Bucket(this, 'test-bucket');

    const publishTopic = new sns.Topic(this, 'topic');
    bucket.addObjectCreatedNotification(new s3n.SnsDestination(publishTopic));
  }
}

When deploying this change to the existing stack, the deployment will fail with something similar to:

7/8 | 3:10:58 PM | CREATE_FAILED | Custom::S3BucketNotifications | test-bucket/Notifications (testbucketNotifications794B1DC4) Failed to create resource. Access Denied

However when deploying a new stack this error does not occur.

  • What is the expected behavior (or behavior of feature suggested)?

The CloudFormation stack should successfully update when adding event notifications to an existing bucket.

  • Please tell us about your environment:

    • CDK CLI Version: 1.0.0
    • Module Version: 1.0.0
    • OS: [all]
    • Language: [all]
@aws-cdaws-s3 bug investigating
Source
picture wwsno
👍5

All 4 comments

We are experiencing the same problem, although even when deploying an entirely new stack. To me it looks like there is a dependency missing between the IAM Role for the Custom::S3BucketNotifications Lambda Function and the required IAM Policy which leads to the Lambda being called before the Policy is created/assigned and therefore results in Permission denied.

See the following log snippet

12/17 | 4:15:38 PM | CREATE_COMPLETE      | AWS::Lambda::Function         | BucketNotificationsHandler050a0587b7544547bf325f094a3db834 (BucketNotificationsHandler050a0587b7544547bf325f094a3db8347ECC3691)
12/17 | 4:15:38 PM | CREATE_IN_PROGRESS   | AWS::IAM::Policy              | BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy (BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36) Resource creation Initiated
12/17 | 4:15:39 PM | CREATE_IN_PROGRESS   | Custom::S3BucketNotifications | redacted-20190917b/Notifications (redacted20190917bNotifications7171EA7A)
Stack data-lake is still not stable (ROLLBACK_IN_PROGRESS (The following resource(s) failed to create: [redacted20190917bNotifications7171EA7A, BucketNotificationsHandler050a0587b7544547bf325f094a3db834RoleDefaultPolicy2CF63D36]. . Rollback requested by user.))
12/17 | 4:15:46 PM | CREATE_IN_PROGRESS   | Custom::S3BucketNotifications | redacted-20190917b/Notifications (redacted20190917bNotifications7171EA7A) Resource creation Initiated
13/17 | 4:15:46 PM | CREATE_FAILED        | Custom::S3BucketNotifications | redacted-20190917b/Notifications (redacted20190917bNotifications7171EA7A) Failed to create resource. Access Denied
More information in CloudWatch Log Stream: 2019/09/17/[$LATEST]d5c5e03fb3414622a07f7770c6fd4a88

CDK CLI version: 1.8.0 (build 5244f97)
aws_cdk python version: 1.8.0

dmoser04 picture dmoser04 on 17 Sep 2019

As a work-around I am currently using the following snippet:

        const logicalId = 'BucketNotificationsHandler050a0587b7544547bf325f094a3db834';
        const notificationsResourceHandler = this.node.findChild(logicalId);

        const customNotificationsResource = bucket.node
            .findChild('Notifications')
            .node.findChild('Resource');

        customNotificationsResource.node.addDependency(notificationsResourceHandler.node.findChild('Role'));

The hard-coded logical id comes from here:
https://github.com/aws/aws-cdk/blob/4a0272db5eb9aae5f440bb0813fdbad6514b60c3/packages/%40aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts#L33

wwsno picture wwsno on 17 Sep 2019
👍1

I'm receiving this error on 1.20.0:

https://pastebin.com/2SVGaexH

Note that I'm using a custom resource due to https://github.com/aws/aws-cdk/issues/4671

insanitybit picture insanitybit on 9 Jan 2020

I'm receiving this error on 1.20.0:

https://pastebin.com/2SVGaexH

Note that I'm using a custom resource due to #4671

I had the same problem. The error is because if you do putBucketNotificationConfiguration action the policy creates a s3:PutBucketNotificationConfiguration action but that action doesn't exist

You have to pass to the CustomResource a policy_statements containing the action s3:PutBucketNotification

Hope this helps

rubenjgarcia picture rubenjgarcia on 11 Feb 2020
🚀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

PaulMaddox picture PaulMaddox  路  3Comments
vgribok picture vgribok  路  3Comments
cybergoof picture cybergoof  路  3Comments
NukaCody picture NukaCody  路  3Comments
artyom-melnikov picture artyom-melnikov  路  3Comments