feat: Stop requiring s3:ListAllMyBuckets IAM permission unless needed (for bucket ACL)
#243
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
theipster
changed the title
s3:ListAllMyBuckets IAM permission unless needed.s3:ListAllMyBuckets IAM permission unless needed.
theipster
force-pushed
the
skip-list-my-buckets-permission
branch
2 times, most recently
from
ef20375
to
f99ead3
Compare
|
This PR has been automatically marked as stale because it has been open 30 days |
This removes the otherwise unnecessary need for the `s3:ListAllMyBuckets` permission.
If `var.owner["id"]` is provided, then `aws_canonical_user_id` is still not needed.
theipster
force-pushed
the
skip-list-my-buckets-permission
branch
from
f99ead3
to
f2af914
Compare
|
Bump please |
antonbabenko
changed the title
s3:ListAllMyBuckets IAM permission unless needed.s3:ListAllMyBuckets IAM permission unless needed (for bucket ACL)
antonbabenko
changed the title
s3:ListAllMyBuckets IAM permission unless needed (for bucket ACL)s3:ListAllMyBuckets IAM permission unless needed (for bucket ACL)
antonbabenko
pushed a commit
that referenced
this pull request
Aug 22, 2023
## [3.15.0](v3.14.1...v3.15.0) (2023-08-22) ### Features * Stop requiring `s3:ListAllMyBuckets` IAM permission unless needed (for bucket ACL) ([#243](#243)) ([74fcc60](74fcc60))
|
This PR is included in version 3.15.0 🎉 |
udyavar
pushed a commit
to udyavar/terraform-aws-s3-bucket
that referenced
this pull request
Aug 29, 2023
…ovisionerBrokenSSH Ubuntu 2204 broke SSH connectivity fix key type
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This skips executing the
data.aws_canonical_user_id.thisdata source unless it is actually needed.The data source is only needed when the
aws_s3_bucket_acl.thisresource needs to be created and thevar.owner["id"]value isn't available.Motivation and Context
As per the
data.aws_canonical_user_iddocumentation, this data source requires thes3:ListAllMyBucketsIAM permission. Note that this permission isn't required by anything else in this module.When the data source isn't needed, then by the principle of least privilege, we shouldn't require the
s3:ListAllMyBucketspermission.This additional permission is particularly obvious when migrating existing
aws_s3_*resources into this module.Breaking Changes
Not a breaking change:
s3:ListAllMyBucketspermission, the module will continue to behave as before except simply skip theListBucketsS3 API calls.How Has This Been Tested?
examples/*to demonstrate and validate my change(s) - No interface changes.examples/*projectspre-commit run -aon my pull request