Skip to content

Use bucket-owner-full-control ACL for cf templates pushed to s3 #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Use bucket-owner-full-control ACL for cf templates pushed to s3 #177

wants to merge 1 commit into from

Conversation

acmcelwee
Copy link
Member

Since there's no way to have an s3 bucket apply an object acl, you can end up in a scenario where one user (like our ci machine user) writes a template to s3 and then no-one else can read that object any more (including the ci machine user that originally created it). This was the only way that I could get this to work how I thought it should. Let me know what y'all think.

@phobologic
Copy link
Member

Any idea if this is a new issue due to the change to boto3? We haven't yet updated to the boto3 version internally here at Remind, but with the old version we haven't had this issue between multiple developers here (provided they all have the right IAM access to the bucket in question).

@acmcelwee
Copy link
Member Author

It's hard to say, but I've only seen it since the upgrade. That said I only saw it as a side effect of our cicd machine user interacting with stacker, so it's possible that something odd is happening there.

@acmcelwee
Copy link
Member Author

Hold off on this. I just saw this happen again even using our branch of this. Still investigating what's causing this.

@phobologic
Copy link
Member

Will do - thanks.

@acmcelwee
Copy link
Member Author

Finally figured this one out today. We have our circleci pipeline pushing code changes to our environments, where each environment lives in a separate AWS account. The stacker templates bucket was a shared bucket with a bucket policy that granted access to the specific users in the accounts that needed to upload templates. We got into a scenario where our stage account somehow ended up writing the template to the bucket before the dev account, and when the dev account tried to do the HEAD operation on the bucket/key combo, it got a 403 Forbidden response. Ultimately we split out the templates to different buckets for the various environments now, and we have a few kinks to work out regarding sequencing and blueprint versioning.

In the end, nothing to see here...just thought I'd share my journey in case anyone else has a head-scratching moment like I've had over the past few weeks.

@acmcelwee acmcelwee closed this Aug 9, 2016
@phobologic
Copy link
Member

Ahhh, ok, that makes sense. Thanks for the followup @acmcelwee !

@danielkza danielkza mentioned this pull request Mar 12, 2019
Merged
@acmcelwee acmcelwee deleted the s3-acl branch June 27, 2019 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@acmcelwee @phobologic