-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
static-site construct will not deploy #320
Comments
I'm also running into this. 100% fatal issue for the static-website construct |
single-page-app will work as a workaround for now |
Thanks for the report, anyone has a good suggestion for a solution/PR? |
FYI, it looks like this is Amazon's announcement of the change in default policy: Advanced Notice: Amazon S3 will automatically enable S3 Block Public Access and disable access control lists for all new buckets starting in April 2023 The exact error that occurs is I wish I could suggest a solution, but I'm afraid that at this time, the problem exceeds the limits of my AWS policy/permissions knowledge. Of course, this is a big reason why I use Serverless Framework & serverless-lift. |
Workaround : you can disable the BlocPublicPolicy with the PublicAccessBlockConfiguration property of the S3 bucket CloudFormation structure. Use the extension property of your Lift construct :
|
@peebam Since the bucket is created by serverless-lift, how do you know the BucketName? |
The BuckName property is not mandatory. In this extract of code, we manage the bucket name. I fixed my comment. |
@peebam Thanks for that workaround! Looks like that's working |
(dummy question here) |
Like so:
|
For me even the suggested snippet doesn't help. The basic static-website construct fails with a message:
The serverless user is allowed to create S3 Buckets, of course. Moreover, if I change the static-website to single-page-app, no error appears and deploy works in a normal way. |
The issue is here: lift/src/constructs/aws/StaticWebsite.ts Lines 67 to 77 in a91e293
This object needs to now return a BlockPublicAccess object, with every field set to false. Docs: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BlockPublicAccess.html Example: blockPublicAccess: new BlockPublicAccess({
blockPublicAcls: false,
blockPublicPolicy: false,
ignorePublicAcls: false,
restrictPublicBuckets: false
}) (You will need to import I solved this by doing a local patch (via |
I will try to fix this on a PR |
Description
As of April 2023, the default security on an S3 bucket is to Block Public access. This creates a conflict with the native behavior of the static-site construct which sets a Policy s3:GetObject using AWS:"*" as the Principle. The deployment will fail with an API: Access Denied error when using this with lift and serverless.
How to Reproduce
1
Additional Information
No response
The text was updated successfully, but these errors were encountered: