How to change s3 bucket policies with cloudformation?

1
votes

I would like to be able to change the policies on s3 buckets using cloudformation. However when I attempt to do this I encounter the error:

2017-12-21 18:49:10 UTC   TestBucketpolicyAwsS3Bucketpolicy   CREATE_FAILED        API: s3:PutBucketPolicy Access Denied

Here is an example of a cloudformation template that fails due to this issue:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "",
  "Resources": {
    "TestBucketpolicyAwsS3Bucketpolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "alex-test-bucket-123",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "*"
                ]
              },
              "Resource": "arn:aws:s3:::alex-test-bucket-123/*",
              "Action": [
                "s3:GetObject*",
                "s3:DeleteObject*",
                "s3:PutObject*"
              ]
            }
          ]
        }
      }
    }
  }
}

I have tried changing policies on both my IAM user and the actual bucket I want to manage with cloudformation, but neither solution has resolved the issue. How can I get remove this "s3:PutBucketPolicy" restriction?

Edit: I think the issue may be that only IAM roles can access the "s3:PutBucketPolicy" operation. I may need to create a role with s3 access then establish a trust relationship with the user that runs this cloudformation template.

https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html

1
amazon-web-servicesamazon-s3amazon-cloudformation
It is not clear what you are asking.Asdfg
I just edited my post to make it a bit clearer. I want to be able to change the policies attached to s3 buckets with cloudformation and cannot due to a API: s3:PutBucketPolicy Access Denied error. This pops up despite the fact that my user should have admin permissions with access to everything in my aws account and no restrictions.Alex Cohen
are you selecting a different role while deploying your CFT? are you using AWS console or CLI to deploy it?Asdfg
I'm using the cli to deploy this through a tool that writes cloudformation templates called sparkleformation.Alex Cohen
the assume IAM role while executing your cloud formation template must have permission to edit s3 bucket policy. Hence as a solution you need to apply the correct IAM policy for a given IAM role, and use that IAM role while executing the cloud-formation to run this successfully.Usman Azhar

1 Answers

1
votes

IAM users cannot directly run s3:PutBucketPolicy operations. You need to create a separate IAM role and attach it to your user with a trust relationship to assume that IAM role.

Your role will need s3 and cloudformation access. The policy document below will work.

{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "s3:*",
            "cloudformation:*"
        ],
        "Resource": "*",
        "Effect": "Allow"
    }
}

The arn of your IAM role will then need to be set in your config or the AWS_STS_ROLE_ARN environmental variable along with your aws access keys.

Once you assume the role you will then be able to change s3 bucket policies.

Note that this will override any permissions your user has when you set your AWS_STS_ROLE_ARN in your config or environmental variables.