I'm trying to deploy a static website on s3 bucket through bitbucket pipelines but getting Access Denied error on PutObject operation.
The bucket doesn't have public access, it serves through CloudFront distributions.
VERIFIED CHECKS:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <ID>"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::qa.polarunicorn.com/*"
}
]
}
bitbucket-pipelines.yml
image: node:10.15.3
pipelines:
custom:
qa:
- step:
name: QA - Install, test and build
caches:
- node
script:
- yarn
- yarn test
- yarn build:dev
artifacts:
- dist/**
- step:
name: QA - Deploy on S3
deployment: test
script:
- pipe: atlassian/aws-s3-deploy:0.3.7
variables:
AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION: '$AWS_REGION_NAME'
S3_BUCKET: '$QA_BUCKET'
ACL: 'public-read'
LOCAL_PATH: 'dist'
DELETE_FLAG: 'true'
Pipeline's build status:
I find and tried all the possible solutions but not able to catch the actual issue here because everything looks good, as expected... ☹️
Hi @Gulshan kumar do you have any other Bucket ACLs, IAM Policies or Bucket Policies configured? Does the IAM user owns the bucket and/or objects that you try to update?
Thanks for the update @Alexander Zhukov and I just found the issue and it requires a minor change, just needs to update the ACL value in the bitbucket-pipelines.yml as:
ACL: 'bucket-owner-full-control'
and earlier, I was using
ACL: 'public-read'
(check in the question above)
---
All the valid values are:
private | public-read | public-read-write | authenticated-read | bucket-owner-read | bucket-owner-full-control | private
Default: private
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Is there any way it can mistakenly update all my buckets?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.