Can not create S3 bucket faild beacuse ACL

[Ehco1996]

What happened?

Can not create s3 bucket in latest ver(0.40.0) with the yaml below

apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  finalizers:
    - finalizer.managedresource.crossplane.io
  name: xxxx
spec:
  deletionPolicy: Delete
  forProvider:
    locationConstraint: us-west-2
    paymentConfiguration:
      payer: BucketOwner
    serverSideEncryptionConfiguration:
      rules:
        - applyServerSideEncryptionByDefault:
            sseAlgorithm: AES256
  providerConfigRef:
    name: xxx

How can we reproduce it?

just create a bucket with that yaml and you will see this error

  conditions:
  - lastTransitionTime: "2023-05-23T02:39:38Z"
    reason: Creating
    status: "False"
    type: Ready
  - lastTransitionTime: "2023-05-23T02:39:52Z"
    message: 'observe failed: operation error S3: PutBucketAcl, https response error
      StatusCode: 400, RequestID: TZHYY9GBCV36BPRC, HostID: BkrtUQaMwKXFsViv+IN6m5aMgOZaUYyFkculK6Fauztb5SuRge05UUrecUl2CFapUMMc6FCkJ+I=,
      api error MissingSecurityHeader: Your request was missing a required header'
    reason: ReconcileError
    status: "False"
    type: Synced

What environment did it happen in?

Crossplane version: 0.40.0

[chlunde]

try

spec:
  forProvider:
+    objectOwnership: BucketOwnerEnforced

[Ehco1996]

BucketOwnerEnforced

it works thanks

[kelvinwijaya]

Hi @Ehco1996 .

Wanted to check if you managed to get the Bucket in available state, As for myself, even after changing the spec to objectOwnership: BucketOwnerEnforced
The reconcile is ok however the resource Ready status is always false or not available

  conditions:
  - lastTransitionTime: "2023-05-23T02:39:38Z"
    reason: Creating
    status: "False"
    type: Ready

[Ehco1996]

Hi @Ehco1996 .

Wanted to check if you managed to get the Bucket in available state, As for myself, even after changing the spec to objectOwnership: BucketOwnerEnforced The reconcile is ok however the resource Ready status is always false or not available

  conditions:
  - lastTransitionTime: "2023-05-23T02:39:38Z"
    reason: Creating
    status: "False"
    type: Ready

I've tried many times, sometimes the status is stuck in the Createing state, but sometimes it turns normally into Available and no error logs are found in the aws-provider.

So it seems to be a probability problem?

[kelvinwijaya]

I am unsure too, my suspicious is syncing and comparing the status from external-resource causing it to not able to get stable state

Do you configure any Bucket policy?
Mine is in configured separately using BucketPolicy CR (older method)

Based on my observations, it will always stuck in pending state:

  Normal  PendingExternalResource  35m                   managed/bucket.s3.aws.crossplane.io  Waiting for external resource existence to be confirmed

These are my specs reflected from Bucket CR in runtime:

Spec:
  Deletion Policy:  Delete
  For Provider:
    Cors Configuration:
      Cors Rules:
        Allowed Headers:
          *
        Allowed Methods:
          PUT
          POST
          DELETE
        Allowed Origins:
          *
        Allowed Methods:
          GET
        Allowed Origins:
          *
    Lifecycle Configuration:
      Rules:
        Expiration:
          Expired Object Delete Marker:  true
        Noncurrent Version Expiration:
          Noncurrent Days:           1
        Status:                      Enabled
    Location Constraint:             <sanitized>
    Object Lock Enabled For Bucket:  false
    Object Ownership:                BucketOwnerEnforced
    Payment Configuration:
      Payer:  BucketOwner
    Public Access Block Configuration:
      Block Public Acls:        true
      Block Public Policy:      true
      Ignore Public Acls:       true
      Restrict Public Buckets:  true
    Server Side Encryption Configuration:
      Rules:
        Apply Server Side Encryption By Default:
          Sse Algorithm:  AES256
    Tagging:
      Tag Set:
        Key:    <sanitized>
        Value:  <sanitized>
        Key:    <sanitized>
        Value:  <sanitized>
        Key:    <sanitized>
        Value:  <sanitized>
        Key:    <sanitized>
        Value:  <sanitized>
        Key:    <sanitized>
        Value:  <sanitized>
        Key:    <sanitized>
        Value:  <sanitized>
    Versioning Configuration:
      Status:  Enabled
  Provider Config Ref:
    Name:  aws-provider
  Write Connection Secret To Ref:
    Name:       test-bucket-smm4z
    Namespace:  <sanitized>

[Ehco1996]

@kelvinwijaya

i also used the bucket policy CR But the phenomenon is like I said before, sometimes it works, but sometimes it fails

[kelvinwijaya]

@Ehco1996

Thanks for confirming your setup, i am trying to migrate to use the in-line bucket policy inside Bucket CR, will update here if there is any success

[kelvinwijaya]

@Ehco1996
Somehow without attaching to BucketPolicy, the Bucket resource will be in healthy state
Have tried the in-line bucket policy method too and the same issue persisted

Believe this issue is reported here: #1757

@chlunde, are we able to have this fix in place?

[smaistry]

Hi @Ehco1996 .

Wanted to check if you managed to get the Bucket in available state, As for myself, even after changing the spec to objectOwnership: BucketOwnerEnforced The reconcile is ok however the resource Ready status is always false or not available

  conditions:
  - lastTransitionTime: "2023-05-23T02:39:38Z"
    reason: Creating
    status: "False"
    type: Ready

You need to delete the bucket and then recreate then it will work.