问题
I have an AWS CDK script that I'm now unable to deploy. I could deploy it before adding a bucket policy. After adding a bucket policy, it fails to deploy. Here's the Python code:
bucket = aws_s3.Bucket(
self,
"myBucket",
bucket_name="mybucket",
access_control=aws_s3.BucketAccessControl.PRIVATE,
versioned=True,
encryption=aws_s3.BucketEncryption.S3_MANAGED,
block_public_access=aws_s3.BlockPublicAccess.BLOCK_ALL
)
policy_statement = aws_iam.PolicyStatement(
effect=aws_iam.Effect.DENY,
actions=["*"],
resources=[bucket.arn_for_objects("*")],
conditions={ "Bool": { "aws:SecureTransport": "false" } }
)
policy_statement.add_any_principal()
bucket.add_to_resource_policy(policy_statement)
I deploy this stack using this command: cdk deploy --require-approval=never
And I see the following error:
2/4 | 10:01:03 AM | CREATE_IN_PROGRESS | AWS::S3::BucketPolicy | myBucket/Policy (myBucketPolicyAFBF75F8)
3/4 | 10:01:04 AM | CREATE_FAILED | AWS::S3::BucketPolicy | myBucket/Policy (myBucketPolicyAFBF75F8) API: s3:PutBucketPolicy Access Denied
The user I'm using to deploy this is an admin user with access to everything. I've confirmed that I can log into the console, create this bucket, and add this Bucket Policy with this same user, but for some reason I get a permission denied error when deploying the CDK script.
I'm relatively new to CDK and AWS, so, it may be something simple that I'm missing. Any help would be appreciated.
AWS CLI Version 2.0.3
Python Version 3.7.5
CDK Version 1.31.0 (build 8f3ac79)
Botocore Version 2.0.0dev7
Windows 10
UPDATE:
I updated my CDK install to the latest and now it's deploying just fine. No code changed, just my CDK version. I'm now running 1.32.2 (build e19e206) and it deployed. In looking through the release notes, I can't tell exactly why it was broken before and why it's working now, but they did make some changes in IAM and one of them must have fixed this.
来源:https://stackoverflow.com/questions/61144798/why-is-an-admin-account-getting-permission-denied-when-updating-a-bucketpolicy