0

Im running a Github CD actions that takes some files from my repo and tries to upload them to a S3 bucket I have.

The action runs this command:

/usr/bin/docker run --name e4f859ff89ec6549659693150859a75828_d1b6eb --label 5588e4 --workdir /github/workspace --rm -e AWS_S3_BUCKET -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_REGION -e SOURCE_DIR -e INPUT_ARGS -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/prepay-frontend/prepay-frontend":"/github/workspace" 5588e4:f859ff89ec6549659693150859a75828 --acl public-read --follow-symlinks --delete

The AWS_S3_BUCKET, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_REGION are obfuscated for privacy reasons, but Im sure they are configured correctly because I can see from my AWS console that the user associated to AWS_ACCESS_KEY_ID is being use.

The problem is that I get this error:

upload failed: public/index.html to s3://***/index.html An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

I don't understand why, this is the policy associated to the user:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::MY-bucket-name"] }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": ["arn:aws:s3:::MY-bucket-name/*"] } ] }

And if I'm not wrong that policy grants full control over the files on the bucket MY-bucket-name to the user. What I'm missing here?

Improve this question

1 Answer 1

Reset to default
0

What if you change the policy from s3:*Object to s3:* for a test to verify that it’s indeed this policy that’s blocking the request?

Perhaps there’s a Bucket Policy or SCP or Policy boundary that’s interfering with the request. None of them must Deny access in order for it to succeed.

Hope that helps :)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.