Search
Search

How to add OriginAccessIdentity to AWS S3 Bucket Policy using troposphere

Jez D Published at Dev
16
Jez D

I have a AWS Cloudformation stack, created in Python using Troposphere. I need to add OriginAccessIdentity to the S3 bucket access policy.

Amongst other things, I am importing the following:

from awacs.aws import (
    Allow,
    Policy,
    AWSPrincipal,
    Statement
)

Part of the stack creates a Cloudfront distribution, added a S3 Origin with just one associated cacheBehavior. This works fine, the Origin an behavior are created and can be seen in the AWS Cloudfront console.

I have used the following code to create an OriginAccessIdentity:

cloudfrontOriginAccessIdentity = t.add_resource(CloudFrontOriginAccessIdentity(
   "cloudfrontOriginAccessIdentity",
      CloudFrontOriginAccessIdentityConfig=CloudFrontOriginAccessIdentityConfig(
        Comment = "React-Pattern-Origin-Access-Identity" 
      )
 ))

Again, this works fine and the OriginAccessIdentity is created and can be seen in the AWS Cloudfront console, and is associated with the Origin.

I am using the following code to create a S3BucketPolicy:

t.add_resource(s3.BucketPolicy(
  "reactBucketPolicy",
    Bucket=Ref("ParamS3BucketName"),
    PolicyDocument=dict(
      Statement=[dict(
        Sid="reactBucketPolicyStatement01",
        Effect="Allow",
        Action=[
          "s3:GetObject"
        ],
        Principal=AWSPrincipal(["*"]),
        Resource=[Join("", ["arn:aws:s3:::", Ref("ParamS3BucketName"), "/*"])],
      )],
    )
))

This too works fine, with the policy being generated and attached to the bucket - can be seen in the AWS S3 console. The issue I am having is trying to replace
Principal=AWSPrincipal(["*"])
with
Principal=AWSPrincipal([<the_origin_access_identity>])

I have tried
Principal=AWSPrincipal([Join("", ["origin-access-identity/cloudfront/", "Ref(cloudfrontoriginaccessidentity)"])])
and
Principal=AWSPrincipal([Ref(cloudfrontoriginaccessidentity)])

but Cloudformation rejects the update, saying that the Principal is invalid. What do I need to replace the * with in order to get Cloudformation to add my OriginAccessIdentity as the principal to the policy?

Jez D

Replace this:

Principal=AWSPrincipal(["*"]),

with this:

Principal=Principal(
    "CanonicalUser", 
    GetAtt(cloudfrontOriginAccessIdentity, "S3CanonicalUserId"),
),

Replace this:

from awacs.aws import (
    Allow,
    Policy,
    AWSPrincipal,
    Statement
)

with this:

from awacs.aws import (
    Allow,
    Policy,
    Principal,
    Statement
)

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

How to empty a S3 bucket using the AWS SDK for GOlang?

AWS S3 Bucket policy editor access denied

How do I unlock or delete an AWS S3 bucket that inadvertently locked with a bucket policy?

AWS S3 Web Console overriding bucket policy

How to create new S3 bucket in AWS using nodejs?

aws lambda - How to add s3 trigger using cloudformation if the s3 bucket is created manually

AWS S3: Setting a bucket policy for multiple users in an account

AWS S3 Bucket policy public. How to make object private?

AWS S3 - permission to edit bucket policy

AWS S3 Bucket Policy Whitelist

AWS - S3 - Creating a Bucket Policy - Error: Access Denied

AWS: How to update an existing S3 bucket-policy via CloudFormation?

How to grant access only to the Root Account User for an S3 bucket with IAM Policy AWS?

Elegant way to add exceptions to s3 bucket deny policy using StringNotLike condition for specific actions

AWS S3: user policy for specifc bucket

AWS S3 Bucket Policy Explicit Deny

AWS S3 Bucket Policy not working on mobile browsers

How to attach an AWS managed policy to a role in cloudformation and troposphere

How to specify AWS S3 bucket policy

How can I add IP restrictions to s3 bucket(in the bucket Policy) already having a User restriction

Unable to add lifecycle policy to s3 bucket using serverless

AWS S3 Bucket Policy: How to grant access to EC2 instance?

AWS S3 empty bucket policy

I have a Query about AWS S3 bucket policy

How to get bucket policy using Airflow s3 hook

AWS s3 bucket multiple StringEquals conditions policy

AWS S3 Bucket Policy is not valid

AWS S3 bucket policy with condition

lost accss to AWS S3 bucket via policy

TOP Ranking

  1. 1

    Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

  2. 2

    Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

  3. 3

    pump.io port in URL

  4. 4

    How to import an asset in swift using Bundle.main.path() in a react-native native module

  5. 5

    Failed to listen on localhost:8000 (reason: Cannot assign requested address)

  6. 6

    Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

  7. 7

    Emulator wrong screen resolution in Android Studio 1.3

  8. 8

    3D Touch Peek Swipe Like Mail

  9. 9

    Double spacing in rmarkdown pdf

  10. 10

    Svchost high CPU from Microsoft.BingWeather app errors

  11. 11

    How to how increase/decrease compared to adjacent cell

  12. 12

    Using Response.Redirect with Friendly URLS in ASP.NET

  13. 13

    java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

  14. 14

    BigQuery - concatenate ignoring NULL

  15. 15

    How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

  16. 16

    ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

  17. 17

    Can a 32-bit antivirus program protect you from 64-bit threats

  18. 18

    Make a B+ Tree concurrent thread safe

  19. 19

    Bootstrap 5 Static Modal Still Closes when I Click Outside

  20. 20

    Vector input in shiny R and then use it

  21. 21

    Assembly definition can't resolve namespaces from external packages

HotTag

Archive