(aws-cloudfront-origins): Enable S3 versioned access for OAC #33034
Labels
@aws-cdk/aws-cloudfront-origins
Related to CloudFront Origins for the CDK CloudFront Library
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p2
Comments
matthiasgubler
added
feature-request
github-actions
bot
added
the
@aws-cdk/aws-cloudfront-origins
|
Makes sense to me. We welcome the PRs and let address this issue from there. |
pahud
added
p2
effort/medium
matthiasgubler
added a commit
to matthiasgubler/aws-cdk
that referenced
this issue
Jan 21, 2025
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects Fixes aws#33034
matthiasgubler
changed the title
matthiasgubler
added a commit
to matthiasgubler/aws-cdk
that referenced
this issue
Jan 21, 2025
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects Fixes aws#33034
1 task
matthiasgubler
added a commit
to matthiasgubler/aws-cdk
that referenced
this issue
Jan 22, 2025
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects Fixes aws#33034
matthiasgubler
added a commit
to matthiasgubler/aws-cdk
that referenced
this issue
Jan 22, 2025
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects Fixes aws#33034
matthiasgubler
added a commit
to matthiasgubler/aws-cdk
that referenced
this issue
Jan 22, 2025
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects Fixes aws#33034
|
@pahud My PR is open for some time now but has a failing check: This is in some generated code for the integration tests. I deleted all the generated assets, ensured using all the newest versions and regenerated everything, however there was no change to the asset that causes issues. Is there someone who could help me getting this fixed and moved forward? |
mergify bot
pushed a commit
that referenced
this issue
Feb 20, 2025
### Issue # (if applicable) Closes #33034 ### Reason for this change This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects via CloudFront. ### Description of changes Added a new `AccessLevel.READ_VERSIONED`, to extend the list of the OAC access levels, which extends the S3 bucket policy to contain `s3:GetObjectVersion`. I followed the existing patterns for the different AccessLevels, to make the change as small as possible. This enables versioned S3 bucket origins to allow the CloudFront distribution to access object versions. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Added a new unit-test and a new integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Comments on closed issues and PRs are hard for our team to see. |
yashkh-amzn
pushed a commit
to yashkh-amzn/aws-cdk
that referenced
this issue
Feb 21, 2025
### Issue # (if applicable) Closes aws#33034 ### Reason for this change This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects via CloudFront. ### Description of changes Added a new `AccessLevel.READ_VERSIONED`, to extend the list of the OAC access levels, which extends the S3 bucket policy to contain `s3:GetObjectVersion`. I followed the existing patterns for the different AccessLevels, to make the change as small as possible. This enables versioned S3 bucket origins to allow the CloudFront distribution to access object versions. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Added a new unit-test and a new integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the feature
By calling
S3BucketOrigin.withOriginAccessControlthe access-levels only allow for adding for the bucket actions3:GetObjectbut there is no way to easily adds3:GetObjectVersion. In order to get that, the bucket permissions must be extended manually.There should be a way to extend the access levels, have a way to manually extend required actions or set a flag to enable versioned access.
Use Case
I created an S3 origin with OAC to provide a signed url and allow the
versionIdto be passed, so the user can download a specific object version. I needed to extend the bucket permission manually, by adding the action's3:GetObjectVersion'for the distributionId.Proposed Solution
I see three possible solutions:
AccessLevelto have aREAD_VERSIONEDversionedin the properties on creating the OACOther Information
No response
Acknowledgements
CDK version used
2.167.1
Environment details (OS name and version, etc.)
MacOS
The text was updated successfully, but these errors were encountered: