I have an existing S3 bucket my-bucket
.
I am writing a new CloudFormation template file which creates some new AWS resource that interacts with my-bucket
. Now, my business use-case requires me to add a new permission statement to the bucketpolicy for my-bucket
from within the CloudFormation template file.
SourceBucketBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: my-bucket
PolicyDocument:
Statement:
- Effect: "Allow"
Action:
- 's3:PutBucketNotificationConfiguration'
Resource: "arn:aws:s3:::my-bucket"
Principal:
AWS: !GetAtt MyLambdaExecutionRole.Arn
The problem is that the bucket already has the following bucket-policy that was added by someone else manually via the AWS Console at some point in the past. It's an important bucket-policy from a business perspective so I cannot get rid of it:
{
"Version": "2012-10-17",
"Id": "S3-Policy",
"Statement": [
{
"Sid": "DataCraft-012345678901-S3-datacraft",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::012345678901:user/datacraft"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
So I guess my only option is to update the existing bucket-policy to additionally accommodate my new policy statement. The question is: how can I do that through the CloudFormation template file?
EDIT: For those interested, I eventually solved the problem by writing an AWS::IAM::Policy
instead of AWS::S3::BucketPolicy
:
SourceBucketNotificationConfigurationPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: s3:PutBucketNotification
Effect: Allow
Resource: "arn:aws:s3:::my-bucket"
Version: '2012-10-17'
PolicyName: BucketNotificationsRolePolicy
Roles:
- Ref: MyLambdaExecutionRole.Arn
Update with No Interruption. AWS CloudFormation updates the resource without disrupting operation of that resource and without changing the resource's physical ID. For example, if you update certain properties on an AWS::CloudTrail::Trail resource, AWS CloudFormation updates the trail without disruption.
In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit. Choose Permissions. Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
Sadly, you can't update an existing policy which is not managed by CloudFormation.
The only thing you can do is to replace policy in the bucket using CloudFormation by recreating it.
What's more, existing bucket policies can't be imported into CloudFormation. The reason is that AWS::S3::BucketPolicy
is not a supported resource for importing.
Edit: Based on @JeremyThompson's Comment
I verified the use of UpdateReplacePolicy: Retain
.
For that I used my own bucket and with policy. Both were created outside of CloudFormation, using the AWS console.
Then, I created a CFN template with AWS::S3::BucketPolicy
. The deployment of the template failed, with or without UpdateReplacePolicy: Retain
with error message:
The bucket policy already exists on bucket <bucket-name>.
This means that you can't replace existing bucket policy. The policy must be recreated in CloudFormation.
You can also create a CustomResource, where you implement the logic for updating an existing bucket policy. Be sure to implement the handling of all resource events: Create, Update, Delete.
For example, here is an implementation for creating folders in S3: https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-s3-custom-resources/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With