Skip to content

feat(s3): add grantReplicationPermission for IAM Role permissions #34138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat(s3): add grantReplicationPermission for IAM Role permissions #34138

wants to merge 12 commits into from
+350 −77

Conversation

hassaku63
Copy link
Contributor

Issue # (if applicable)

Closes #34119

Reason for this change

This change introduces a new method, grantReplicationPermission, to the aws-cdk-lib.aws_s3.Bucket construct. The purpose of this addition is to provide a more convenient and programmatic way for AWS CDK users to grant the necessary IAM permissions to a user-provided IAM Role that will be used for S3 bucket replication.

Description of changes

This pull request includes the following code changes:

  • Added a new public method grantReplicationPermission to the Bucket class.
  • The implementation of this method programmatically attaches the necessary IAM permissions for S3 bucket replication to the provided identity. This change refactors the renderReplicationConfiguration method by extracting the IAM permission granting functionality into a dedicated grantReplicationPermission method.
  • unit and integ test
  • The README was updated to show that users can now grant replication rights to custom IAM roles.

Describe any new or updated permissions being added

No new IAM permissions are being added at the CDK level. The permissions granted by the grantReplicationPermission method are the same as those already handled internally by the existing replication configuration logic. This change simply exposes that functionality through a dedicated method.

Description of how you validated changes

  • Added unit tests to verify the functionality of the grantReplicationPermission method, ensuring that the correct IAM policies are attached to the provided role. Notably, the unit tests specifically cover scenarios where an explicit replicationRole is provided.
  • Existing integration tests were run to confirm that no regressions were introduced by this change. In addition, the existing test scenario integ.bucket-replication-use-custom-role.ts was refactored to use the new grantReplicationPermission method instead of manually attaching the required permissions to the IAM role, and its behavior was verified to remain equivalent.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Apr 14, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team April 14, 2025 17:58
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Apr 14, 2025
@hassaku63
Copy link
Contributor Author

Regarding the design of the grantReplicationPermission method, I've aimed to follow the common patterns of other grant methods in the CDK, where returning an iam.Grant object is prevalent. However, this method currently has a void return type. While I intend to explore and implement the refactoring to return iam.Grant myself, I'm currently unsure about the best way to structure the Grant object for this feature, especially given the need to grant multiple distinct permissions. If the reviewers have any insights or suggestions on the most appropriate approach, I would be grateful for the guidance, as I work towards a suitable implementation.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 15, 2025
badmintoncryer
badmintoncryer suggested changes Apr 16, 2025
View reviewed changes
Copy link
Contributor

@badmintoncryer badmintoncryer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! I've added a small comment.

packages/aws-cdk-lib/aws-s3/lib/bucket.ts
Comment on lines +909 to +911
if (props.destinations.length === 0) {
throw new ValidationError('destinations must be specified', this);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add unit test for throwing this error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@badmintoncryer Thank you for your review, yes I have added a unit test that you noted.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 16, 2025
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 40b6e2b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Apr 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@badmintoncryer badmintoncryer badmintoncryer approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(aws-s3): add a convenient way to grant permissions to an IAM Role for S3 replication
3 participants
@hassaku63 @aws-cdk-automation @badmintoncryer