fix(codepipeline-actions): BitBucketAction fails with S3 "Access deni…

…ed" error (#13637) Previously access control lists for putObject was not called. This had led in getting access denied issue when trying to upload objects into the s3 bucket fixes #13557 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Mar 22, 2021 · 77ce45d · 77ce45d
1 parent 5d62331
commit 77ce45d
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts b/packages/@aws-cdk/aws-codepipeline-actions/lib/bitbucket/source-action.ts
@@ -117,6 +117,7 @@ export class BitBucketSourceAction extends Action {
 
     // the action needs to write the output to the pipeline bucket
     options.bucket.grantReadWrite(options.role);
+    options.bucket.grantPutAcl(options.role);
 
     // if codeBuildCloneOutput is true,
     // save the connectionArn in the Artifact instance

diff --git a/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts b/packages/@aws-cdk/aws-codepipeline-actions/test/bitbucket/bitbucket-source-action.test.ts
@@ -1,4 +1,4 @@
-import { expect, haveResourceLike } from '@aws-cdk/assert';
+import { arrayWith, expect, haveResourceLike, objectLike } from '@aws-cdk/assert';
 import * as codebuild from '@aws-cdk/aws-codebuild';
 import * as codepipeline from '@aws-cdk/aws-codepipeline';
 import { Stack } from '@aws-cdk/core';
@@ -82,7 +82,37 @@ nodeunitShim({
 
     test.done();
   },
-
+  'grant s3 putObjectACL to the following CodeBuild Project'(test: Test) {
+    const stack = new Stack();
+    createBitBucketAndCodeBuildPipeline(stack, {
+      codeBuildCloneOutput: true,
+    });
+    expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
+      'PolicyDocument': {
+        'Statement': arrayWith(
+          objectLike({
+            'Action': 's3:PutObjectAcl',
+            'Effect': 'Allow',
+            'Resource': {
+              'Fn::Join': [
+                '',
+                [
+                  {
+                    'Fn::GetAtt': [
+                      'PipelineArtifactsBucket22248F97',
+                      'Arn',
+                    ],
+                  },
+                  '/*',
+                ],
+              ],
+            },
+          }),
+        ),
+      },
+    }));
+    test.done();
+  },
   'setting triggerOnPush=false reflects in the configuration'(test: Test) {
     const stack = new Stack();