Skip to content

Commit beac675

Browse files
lpizzinidevlpizzinidev
authored
fix(s3): grantRead does not allow s3:HeadObject (#27416)
Fixes the policy enforced by `grantRead` to allow operations that require to read an object's metadata, for example: ``` s3 = boto3.client("s3") # this operation requires s3:HeadObject permission s3.download_file(bucket, key, filepath) ``` Closes #27389. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 3fc86ca commit beac675

File tree

124 files changed

+299
-14
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

124 files changed

+299
-14
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.asset-build-spec.js.snapshot/CodeBuildAssetBuildSpecStack.template.json

+1
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
"Action": [
2727
"s3:GetBucket*",
2828
"s3:GetObject*",
29+
"s3:HeadObject",
2930
"s3:List*"
3031
],
3132
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.caching.js.snapshot/aws-cdk-codebuild.template.json

+1
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
"s3:DeleteObject*",
3434
"s3:GetBucket*",
3535
"s3:GetObject*",
36+
"s3:HeadObject",
3637
"s3:List*",
3738
"s3:PutObject",
3839
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-bucket.js.snapshot/aws-cdk-codebuild.template.json

+1
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
"Action": [
3232
"s3:GetBucket*",
3333
"s3:GetObject*",
34+
"s3:HeadObject",
3435
"s3:List*"
3536
],
3637
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-buildspec-artifacts.js.snapshot/aws-cdk-codebuild-buildspec-artifact-name.template.json

+1
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
"s3:DeleteObject*",
3434
"s3:GetBucket*",
3535
"s3:GetObject*",
36+
"s3:HeadObject",
3637
"s3:List*",
3738
"s3:PutObject",
3839
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codebuild/test/integ.project-secondary-sources-artifacts.js.snapshot/aws-cdk-codebuild-secondary-sources-artifacts.template.json

+2
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
"Action": [
3232
"s3:GetBucket*",
3333
"s3:GetObject*",
34+
"s3:HeadObject",
3435
"s3:List*"
3536
],
3637
"Effect": "Allow",
@@ -63,6 +64,7 @@
6364
"s3:DeleteObject*",
6465
"s3:GetBucket*",
6566
"s3:GetObject*",
67+
"s3:HeadObject",
6668
"s3:List*",
6769
"s3:PutObject",
6870
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codedeploy/test/server/integ.deployment-group.js.snapshot/aws-cdk-codedeploy-server-dg.template.json

+1
Original file line numberDiff line numberDiff line change
@@ -445,6 +445,7 @@
445445
"Action": [
446446
"s3:GetBucket*",
447447
"s3:GetObject*",
448+
"s3:HeadObject",
448449
"s3:List*"
449450
],
450451
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/cloudformation/integ.stacksets.js.snapshot/StackSetPipelineStack.template.json

+3
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,7 @@
170170
"s3:DeleteObject*",
171171
"s3:GetBucket*",
172172
"s3:GetObject*",
173+
"s3:HeadObject",
173174
"s3:List*",
174175
"s3:PutObject",
175176
"s3:PutObjectLegalHold",
@@ -392,6 +393,7 @@
392393
"Action": [
393394
"s3:GetBucket*",
394395
"s3:GetObject*",
396+
"s3:HeadObject",
395397
"s3:List*"
396398
],
397399
"Effect": "Allow",
@@ -556,6 +558,7 @@
556558
"Action": [
557559
"s3:GetBucket*",
558560
"s3:GetObject*",
561+
"s3:HeadObject",
559562
"s3:List*"
560563
],
561564
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cfn-template-from-repo.lit.js.snapshot/aws-cdk-codepipeline-cloudformation.template.json

+4
Original file line numberDiff line numberDiff line change
@@ -158,6 +158,7 @@
158158
"s3:DeleteObject*",
159159
"s3:GetBucket*",
160160
"s3:GetObject*",
161+
"s3:HeadObject",
161162
"s3:List*",
162163
"s3:PutObject",
163164
"s3:PutObjectLegalHold",
@@ -433,6 +434,7 @@
433434
"s3:DeleteObject*",
434435
"s3:GetBucket*",
435436
"s3:GetObject*",
437+
"s3:HeadObject",
436438
"s3:List*",
437439
"s3:PutObject",
438440
"s3:PutObjectLegalHold",
@@ -558,6 +560,7 @@
558560
"Action": [
559561
"s3:GetBucket*",
560562
"s3:GetObject*",
563+
"s3:HeadObject",
561564
"s3:List*"
562565
],
563566
"Effect": "Allow",
@@ -668,6 +671,7 @@
668671
"Action": [
669672
"s3:GetBucket*",
670673
"s3:GetObject*",
674+
"s3:HeadObject",
671675
"s3:List*"
672676
],
673677
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-deployed-through-codepipeline.lit.js.snapshot/PipelineStack.template.json

+7
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@
152152
"s3:DeleteObject*",
153153
"s3:GetBucket*",
154154
"s3:GetObject*",
155+
"s3:HeadObject",
155156
"s3:List*",
156157
"s3:PutObject",
157158
"s3:PutObjectLegalHold",
@@ -497,6 +498,7 @@
497498
"s3:DeleteObject*",
498499
"s3:GetBucket*",
499500
"s3:GetObject*",
501+
"s3:HeadObject",
500502
"s3:List*",
501503
"s3:PutObject",
502504
"s3:PutObjectLegalHold",
@@ -614,6 +616,7 @@
614616
"s3:DeleteObject*",
615617
"s3:GetBucket*",
616618
"s3:GetObject*",
619+
"s3:HeadObject",
617620
"s3:List*",
618621
"s3:PutObject",
619622
"s3:PutObjectLegalHold",
@@ -923,6 +926,7 @@
923926
"Action": [
924927
"s3:GetBucket*",
925928
"s3:GetObject*",
929+
"s3:HeadObject",
926930
"s3:List*"
927931
],
928932
"Effect": "Allow",
@@ -1031,6 +1035,7 @@
10311035
"Action": [
10321036
"s3:GetBucket*",
10331037
"s3:GetObject*",
1038+
"s3:HeadObject",
10341039
"s3:List*"
10351040
],
10361041
"Effect": "Allow",
@@ -1347,6 +1352,7 @@
13471352
"s3:DeleteObject*",
13481353
"s3:GetBucket*",
13491354
"s3:GetObject*",
1355+
"s3:HeadObject",
13501356
"s3:List*",
13511357
"s3:PutObject",
13521358
"s3:PutObjectLegalHold",
@@ -1558,6 +1564,7 @@
15581564
"s3:DeleteObject*",
15591565
"s3:GetBucket*",
15601566
"s3:GetObject*",
1567+
"s3:HeadObject",
15611568
"s3:List*",
15621569
"s3:PutObject",
15631570
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.lambda-pipeline.js.snapshot/aws-cdk-codepipeline-lambda.template.json

+2
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@
152152
"s3:DeleteObject*",
153153
"s3:GetBucket*",
154154
"s3:GetObject*",
155+
"s3:HeadObject",
155156
"s3:List*",
156157
"s3:PutObject",
157158
"s3:PutObjectLegalHold",
@@ -360,6 +361,7 @@
360361
"Action": [
361362
"s3:GetBucket*",
362363
"s3:GetObject*",
364+
"s3:HeadObject",
363365
"s3:List*"
364366
],
365367
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-alexa-deploy.js.snapshot/aws-cdk-codepipeline-alexa-deploy.template.json

+2
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,7 @@
162162
"s3:DeleteObject*",
163163
"s3:GetBucket*",
164164
"s3:GetObject*",
165+
"s3:HeadObject",
165166
"s3:List*",
166167
"s3:PutObject",
167168
"s3:PutObjectLegalHold",
@@ -361,6 +362,7 @@
361362
"Action": [
362363
"s3:GetBucket*",
363364
"s3:GetObject*",
365+
"s3:HeadObject",
364366
"s3:List*"
365367
],
366368
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn-cross-region.js.snapshot/aws-cdk-codepipeline-cloudformation-cross-region.template.json

+4
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
"s3:DeleteObject*",
3939
"s3:GetBucket*",
4040
"s3:GetObject*",
41+
"s3:HeadObject",
4142
"s3:List*",
4243
"s3:PutObject",
4344
"s3:PutObjectLegalHold",
@@ -233,6 +234,7 @@
233234
"Action": [
234235
"s3:GetBucket*",
235236
"s3:GetObject*",
237+
"s3:HeadObject",
236238
"s3:List*"
237239
],
238240
"Effect": "Allow",
@@ -351,6 +353,7 @@
351353
"Action": [
352354
"s3:GetBucket*",
353355
"s3:GetObject*",
356+
"s3:HeadObject",
354357
"s3:List*"
355358
],
356359
"Effect": "Allow",
@@ -438,6 +441,7 @@
438441
"Action": [
439442
"s3:GetBucket*",
440443
"s3:GetObject*",
444+
"s3:HeadObject",
441445
"s3:List*"
442446
],
443447
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn-with-action-role.js.snapshot/aws-cdk-codepipeline-cloudformation-cross-region-with-action-role.template.json

+4
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@
6666
"Action": [
6767
"s3:GetBucket*",
6868
"s3:GetObject*",
69+
"s3:HeadObject",
6970
"s3:List*"
7071
],
7172
"Effect": "Allow",
@@ -163,6 +164,7 @@
163164
"s3:DeleteObject*",
164165
"s3:GetBucket*",
165166
"s3:GetObject*",
167+
"s3:HeadObject",
166168
"s3:List*",
167169
"s3:PutObject",
168170
"s3:PutObjectLegalHold",
@@ -356,6 +358,7 @@
356358
"Action": [
357359
"s3:GetBucket*",
358360
"s3:GetObject*",
361+
"s3:HeadObject",
359362
"s3:List*"
360363
],
361364
"Effect": "Allow",
@@ -453,6 +456,7 @@
453456
"Action": [
454457
"s3:GetBucket*",
455458
"s3:GetObject*",
459+
"s3:HeadObject",
456460
"s3:List*"
457461
],
458462
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-cfn.js.snapshot/aws-cdk-codepipeline-cloudformation.template.json

+4
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@
152152
"s3:DeleteObject*",
153153
"s3:GetBucket*",
154154
"s3:GetObject*",
155+
"s3:HeadObject",
155156
"s3:List*",
156157
"s3:PutObject",
157158
"s3:PutObjectLegalHold",
@@ -408,6 +409,7 @@
408409
"Action": [
409410
"s3:GetBucket*",
410411
"s3:GetObject*",
412+
"s3:HeadObject",
411413
"s3:List*"
412414
],
413415
"Effect": "Allow",
@@ -535,6 +537,7 @@
535537
"Action": [
536538
"s3:GetBucket*",
537539
"s3:GetObject*",
540+
"s3:HeadObject",
538541
"s3:List*"
539542
],
540543
"Effect": "Allow",
@@ -672,6 +675,7 @@
672675
"Action": [
673676
"s3:GetBucket*",
674677
"s3:GetObject*",
678+
"s3:HeadObject",
675679
"s3:List*"
676680
],
677681
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-batch.js.snapshot/aws-cdk-codepipeline-codebuild-batch.template.json

+2
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,7 @@
109109
"s3:DeleteObject*",
110110
"s3:GetBucket*",
111111
"s3:GetObject*",
112+
"s3:HeadObject",
112113
"s3:List*",
113114
"s3:PutObject",
114115
"s3:PutObjectLegalHold",
@@ -425,6 +426,7 @@
425426
"Action": [
426427
"s3:GetBucket*",
427428
"s3:GetObject*",
429+
"s3:HeadObject",
428430
"s3:List*"
429431
],
430432
"Effect": "Allow",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-build-multiple-inputs-outputs.js.snapshot/aws-cdk-codepipeline-codebuild-multiple-inputs-outputs.template.json

+3
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,7 @@
109109
"s3:DeleteObject*",
110110
"s3:GetBucket*",
111111
"s3:GetObject*",
112+
"s3:HeadObject",
112113
"s3:List*",
113114
"s3:PutObject",
114115
"s3:PutObjectLegalHold",
@@ -170,6 +171,7 @@
170171
"Action": [
171172
"s3:GetBucket*",
172173
"s3:GetObject*",
174+
"s3:HeadObject",
173175
"s3:List*"
174176
],
175177
"Effect": "Allow",
@@ -530,6 +532,7 @@
530532
"s3:DeleteObject*",
531533
"s3:GetBucket*",
532534
"s3:GetObject*",
535+
"s3:HeadObject",
533536
"s3:List*",
534537
"s3:PutObject",
535538
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit-build.js.snapshot/aws-cdk-codepipeline-codecommit-codebuild.template.json

+3
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@
9191
"s3:DeleteObject*",
9292
"s3:GetBucket*",
9393
"s3:GetObject*",
94+
"s3:HeadObject",
9495
"s3:List*",
9596
"s3:PutObject",
9697
"s3:PutObjectLegalHold",
@@ -358,6 +359,7 @@
358359
"s3:DeleteObject*",
359360
"s3:GetBucket*",
360361
"s3:GetObject*",
362+
"s3:HeadObject",
361363
"s3:List*",
362364
"s3:PutObject",
363365
"s3:PutObjectLegalHold",
@@ -614,6 +616,7 @@
614616
"s3:DeleteObject*",
615617
"s3:GetBucket*",
616618
"s3:GetObject*",
619+
"s3:HeadObject",
617620
"s3:List*",
618621
"s3:PutObject",
619622
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-commit.js.snapshot/aws-cdk-codepipeline-codecommit.template.json

+2
Original file line numberDiff line numberDiff line change
@@ -223,6 +223,7 @@
223223
"s3:DeleteObject*",
224224
"s3:GetBucket*",
225225
"s3:GetObject*",
226+
"s3:HeadObject",
226227
"s3:List*",
227228
"s3:PutObject",
228229
"s3:PutObjectLegalHold",
@@ -431,6 +432,7 @@
431432
"s3:DeleteObject*",
432433
"s3:GetBucket*",
433434
"s3:GetObject*",
435+
"s3:HeadObject",
434436
"s3:List*",
435437
"s3:PutObject",
436438
"s3:PutObjectLegalHold",

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-code-deploy-ecs.js.snapshot/aws-cdk-codepipeline-codedeploy-ecs.template.json

+3
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
"s3:DeleteObject*",
3939
"s3:GetBucket*",
4040
"s3:GetObject*",
41+
"s3:HeadObject",
4142
"s3:List*",
4243
"s3:PutObject",
4344
"s3:PutObjectLegalHold",
@@ -230,6 +231,7 @@
230231
"Action": [
231232
"s3:GetBucket*",
232233
"s3:GetObject*",
234+
"s3:HeadObject",
233235
"s3:List*"
234236
],
235237
"Effect": "Allow",
@@ -438,6 +440,7 @@
438440
"Action": [
439441
"s3:GetBucket*",
440442
"s3:GetObject*",
443+
"s3:HeadObject",
441444
"s3:List*"
442445
],
443446
"Effect": "Allow",

0 commit comments

Comments
 (0)