Add .withForceGlobalBucketAccessEnabled(true) to the S3 client builder.
This will enable cross-region + cross-account access to S3 buckets. While S3 bucket names are globally unique, the data within each bucket is stored in a specific region chosen by the user, and the StateMachine resource handler cannot handler the scenario where the S3 bucket (that is created in a separate account) location is different from the region where the Create Handler is invoked when the bucket is from a different account. (Seems to be a limitation of the S3 client)
Currently, if the bucket is created in a different account and if the region where the bucket is physically located differs from the client config in AwsClientBuilder.setRegion(String), then the GetObject call to S3 fails and the Create handler is unable to retrieve the definition from the S3 bucket, resulting in CREATE_FAILED
This change won't impact existing users of the handler. The client still first calls to DEFAULT_REGION_PROVIDER, and enabling this config modifies the behavior such that instead of immediately failing if the S3 bucket's location does not match, the client will correctly determine where to route the request if the bucket is not located in DEFAULT_REGION_PROVIDER.
When enabled, the region of the bucket can differ from the client config and still succeed, since the client will determine the correct region to route the request.
The following behavior is currently used when this mode is enabled:
The first time a request is made that references an existing bucket (for example, AmazonS3Client.putObject(PutObjectRequest)) a request will be made to the region configured by AwsClientBuilder.setRegion(String) to determine the region in which the bucket was created. This location may be cached in the client for subsequent requests acting on that same bucket.
Enabling this mode has several drawbacks, because it has the potential to increase latency in the event that the location of the bucket is physically far from the location from which the request was invoked. For this reason, it is strongly advised when possible to know the location of your buckets and create a region-specific client to access that bucket.
Issue #, if available: N/A
Description of changes:
Add
.withForceGlobalBucketAccessEnabled(true)to the S3 client builder.This will enable cross-region + cross-account access to S3 buckets. While S3 bucket names are globally unique, the data within each bucket is stored in a specific region chosen by the user, and the StateMachine resource handler cannot handler the scenario where the S3 bucket (that is created in a separate account) location is different from the region where the Create Handler is invoked when the bucket is from a different account. (Seems to be a limitation of the S3 client)
Currently, if the bucket is created in a different account and if the region where the bucket is physically located differs from the client config in AwsClientBuilder.setRegion(String), then the
GetObjectcall to S3 fails and the Create handler is unable to retrieve the definition from the S3 bucket, resulting inCREATE_FAILEDThis change won't impact existing users of the handler. The client still first calls to DEFAULT_REGION_PROVIDER, and enabling this config modifies the behavior such that instead of immediately failing if the S3 bucket's location does not match, the client will correctly determine where to route the request if the bucket is not located in DEFAULT_REGION_PROVIDER.
When enabled, the region of the bucket can differ from the client config and still succeed, since the client will determine the correct region to route the request.
https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3Builder.html#setForceGlobalBucketAccessEnabled-java.lang.Boolean-
Contract tests passed ✅ with this change
The following scenarios were manually tested, and stack creation succeeded:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.