Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cloudfront-origins): Enable S3 versioned access for OAC #33034

Open
1 of 2 tasks
matthiasgubler opened this issue Jan 21, 2025 · 1 comment · May be fixed by #33038
Open
1 of 2 tasks

(aws-cloudfront-origins): Enable S3 versioned access for OAC #33034

matthiasgubler opened this issue Jan 21, 2025 · 1 comment · May be fixed by #33038
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@matthiasgubler
Copy link
Contributor

Describe the feature

By calling S3BucketOrigin.withOriginAccessControl the access-levels only allow for adding for the bucket action s3:GetObject but there is no way to easily add s3:GetObjectVersion. In order to get that, the bucket permissions must be extended manually.

There should be a way to extend the access levels, have a way to manually extend required actions or set a flag to enable versioned access.

Use Case

I created an S3 origin with OAC to provide a signed url and allow the versionId to be passed, so the user can download a specific object version. I needed to extend the bucket permission manually, by adding the action 's3:GetObjectVersion' for the distributionId.

Proposed Solution

I see three possible solutions:

  • Extend the enum AccessLevel to have a READ_VERSIONED
  • Add a way, to extend the policy per OAC by passing a list of actions
  • Have a flag versioned in the properties on creating the OAC

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.167.1

Environment details (OS name and version, etc.)

MacOS
@matthiasgubler matthiasgubler added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jan 21, 2025
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library label Jan 21, 2025
@pahud
Copy link
Contributor

pahud commented Jan 21, 2025

Makes sense to me. We welcome the PRs and let address this issue from there.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 21, 2025
matthiasgubler added a commit to matthiasgubler/aws-cdk that referenced this issue Jan 21, 2025
@matthiasgubler
Add CloudFront AccessLevel.READ_VERSIONED
c87c348 
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects

Fixes aws#33034
@matthiasgubler matthiasgubler changed the title (aws-cloudfron-origins): Enable S3 versioned access for OAC (aws-cloudfront-origins): Enable S3 versioned access for OAC Jan 21, 2025
matthiasgubler added a commit to matthiasgubler/aws-cdk that referenced this issue Jan 21, 2025
@matthiasgubler
Add CloudFront AccessLevel.READ_VERSIONED
7aaae57 
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects

Fixes aws#33034
@matthiasgubler matthiasgubler linked a pull request Jan 21, 2025 that will close this issue
Open
1 task
matthiasgubler added a commit to matthiasgubler/aws-cdk that referenced this issue Jan 22, 2025
@matthiasgubler
Add CloudFront AccessLevel.READ_VERSIONED
ba38355 
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects

Fixes aws#33034
matthiasgubler added a commit to matthiasgubler/aws-cdk that referenced this issue Jan 22, 2025
@matthiasgubler
Add CloudFront AccessLevel.READ_VERSIONED
8b6d00d 
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects

Fixes aws#33034
matthiasgubler added a commit to matthiasgubler/aws-cdk that referenced this issue Jan 22, 2025
@matthiasgubler
Add CloudFront AccessLevel.READ_VERSIONED
51ce2c9 
This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects

Fixes aws#33034
@github-actions github-actions bot mentioned this issue Feb 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cloudfront-origins): read versioned access level matthiasgubler/aws-cdk
2 participants
@pahud @matthiasgubler