Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3control-controller\Add access point policy support #2385

Open
simon-torrez-al opened this issue Mar 19, 2025 · 4 comments
Open

s3control-controller\Add access point policy support #2385

simon-torrez-al opened this issue Mar 19, 2025 · 4 comments
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. service/s3control Indicates issues or PRs that are related to s3control-controller.

Comments

@simon-torrez-al
Copy link

Hello, i'm using s3control-controller to manage s3 access point

apiVersion: s3control.services.k8s.aws/v1alpha1
kind: AccessPoint
metadata:
  name: my-s3-access-point
  namespace: default
spec:
  accountID: '123456789'
  bucket: my-bucket-name
  bucketAccountID: '123456789'
  name: my-access-point-name
  publicAccessBlockConfiguration:
    blockPublicACLs: true
    blockPublicPolicy: true
    ignorePublicACLs: true
    restrictPublicBuckets: true

Today, it's not possible to manage the access point policy for this s3 access point.
Is it possible to implement this property ?

My solution would be to add a property named '' accessPointPolicyDocument" accepting a json formated document, like:

apiVersion: s3control.services.k8s.aws/v1alpha1
kind: AccessPoint
metadata:
  name: my-s3-access-point
  namespace: default
spec:
  accountID: '123456789'
  bucket: my-bucket-name
  bucketAccountID: '123456789'
  name: my-access-point-name
  publicAccessBlockConfiguration:
    blockPublicACLs: true
    blockPublicPolicy: true
    ignorePublicACLs: true
    restrictPublicBuckets: true
    policyDocument: >-
      {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789:role/my-authorized-role"},"Action": ["s3:ListBucket","s3:GetObject","s3:PutObject"],"Resource": ["arn:aws:s3:my-aws-region:123456789:accesspoint/my-access-point-name","arn:aws:s3:my-aws-region:123456789:accesspoint/my-access-point-name/my/specific/path/*"]}]}

Thanks for your help on this !
@github-actions GitHub Actions
Copy link

Hello @simon-torrez-al 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

@rushmash91
Copy link
Member

Hi @simon-torrez-al , I see the AccessPointPolicy has a Put, Get and Delete method here

We can support the controller by generation the new resource with the code generator. Just generate the controller after updating the generator similar to route53 recordset here.

@rushmash91 rushmash91 added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. service/s3control Indicates issues or PRs that are related to s3control-controller. labels Mar 19, 2025
@simon-torrez-al
Copy link
Author

Hi @rushmash91 ,

Thanks a lot for your message, I'll have a look and verify that I'm able to manage this change. I'm not sure of all the implications this modification would need.

@rushmash91
Copy link
Member

Sure! You would need to fork and clone the Code-generator, runtime and s3control-controller repo, update the generator and build the controller: https://aws-controllers-k8s.github.io/community/docs/contributor-docs/building-controller/

Let me know if you run into any issues!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. service/s3control Indicates issues or PRs that are related to s3control-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rushmash91 @simon-torrez-al