search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 56 forks source link

[AWS::S3::BucketPolicy] - [BUG] - CloudFormation hangs for 20 minutes before rolling back when invalid principal is provided #2124

Open garysassano opened 2 months ago

garysassano commented 2 months ago

Name of the resource

AWS::S3::BucketPolicy

Resource Name

No response

Issue Description

I wrote the following code in AWS CDK:

const policyBucket = new Bucket(this, "PolicyBucket", {
  bucketName: `policy-bucket-${uniqueId}`,
  enforceSSL: true,
  removalPolicy: RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
});

const bucketPolicy = new BucketPolicy(this, "BucketPolicy", {
  bucket: policyBucket,
});

bucketPolicy.document.addStatements(
  new PolicyStatement({
    effect: Effect.ALLOW,
    principals: [
      new ArnPrincipal("arn:aws:iam::123456789012:user/exampleuser"),
    ],
    actions: ["s3:GetObject", "s3:ListBucket"],
    resources: [policyBucket.bucketArn, `${policyBucket.bucketArn}/*`],
  }),
);

It's the same as creating a new S3 bucket with the following policy statement:

{
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/exampleuser"
    },
    "Action": [
        "s3:GetBucket*",
        "s3:ListBucket*"
    ],
    "Resource": [
        "arn:aws:s3:::policy-bucket-c8930c4c",
        "arn:aws:s3:::policy-bucket-c8930c4c/*"
    ]
}

Expected Behavior

I assumed CloudFormation would promptly return an error, stating that the principal is invalid when trying to add the S3 policy statement.

In essence, I expected CloudFormation to behave just like the S3 AWS Console, returning an error like this:

image

Observed Behavior

Upon deployment, CloudFormation hanged for 20 minutes on the creation of the S3 bucket policy:

image

Eventually, the stack got rolled back:

image

Test Cases

CloudFormation should make an API call to test if the principal exists and immediately return.

Other Details

No response

reidca commented 1 month ago

This is a very frustrating user experience - i know from experience when CloudFormation is taking a long time with the bucket policy that there is some issue with the principal or resources. Quite why it takes so long to inform you is a mystery.