aws-cdk: [cli] deploy cannot specify S3 SSE for asset upload
Reproduction Steps
- cdk bootstrap with legacy bootstrap, provide kms key id as param
- have a SCP setup that denies s3:PutObject if s3:x-amz-server-side-encryption is missing
- create a CDK app that provisions a lambda asset
- execute cdk deploy
- deploy fails and receive Access Denied error
What did you expect to happen?
i expect CDK deploy to explicitly use the kms key i specified in the bootstrap when uploading assets.
What actually happened?
cdk deploy does not provide SSE and the deploy fails with Access Denied.
It appears to be relying on the S3 default encryption instead of specifying the SSE options to the S3 put object request.
Environment
- CLI Version : 1.71.0
- Framework Version:
- Node.js Version: v12.16.1
- OS : Windows 10
- Language (Version): Python 3.8.5
Other
This is 🐛 Bug Report
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 24
- Comments: 17 (5 by maintainers)
Commits related to this issue
- fix(cli): added serverside encryption header based on default bucketEncryption. Added s3:GetEncryptionConfiguration to bootstrap-template to be able to read the s3 bucket encryption with file-publishi... — committed to ArlindNocaj/aws-cdk by ArlindNocaj 3 years ago
- fix(cli): added test cases for sse header flow. new flow should not influence the currently bootstrapped cdk projects. (#11265) — committed to ArlindNocaj/aws-cdk by ArlindNocaj 3 years ago
- fix(cli): added testcase for AccessDenied to make sure existing CDK users without using bootstrap are not impacted.(#11265) — committed to ArlindNocaj/aws-cdk by ArlindNocaj 3 years ago
- fix(cli): S3 asset uploads are rejected by commonly referenced encryption SCP (introduces bootstrap stack v9) (#17668) Many organizations around the world have started to use a specific Service Contr... — committed to aws/aws-cdk by ArlindNocaj 3 years ago
- fix(cli): S3 asset uploads are rejected by commonly referenced encryption SCP (introduces bootstrap stack v9) (#17668) Many organizations around the world have started to use a specific Service Contr... — committed to beezly/aws-cdk by ArlindNocaj 3 years ago
- fix(cli): S3 asset uploads are rejected by commonly referenced encryption SCP (introduces bootstrap stack v9) (#17668) Many organizations around the world have started to use a specific Service Contr... — committed to pedrosola/aws-cdk by ArlindNocaj 3 years ago
- fix(cli): S3 asset uploads are rejected by commonly referenced encryption SCP (introduces bootstrap stack v9) (#17668) Many organizations around the world have started to use a specific Service Contr... — committed to TikiTDO/aws-cdk by ArlindNocaj 3 years ago
Adding onto this, this is a strange feature to leave out considering it exists in other AWS-provided tools. This is a fairly common SCP in larger environments.
Are there any plans on adding an argument to
cdk deployto fix this?