S3 bucket creation fails without ACL field

[mathias-muench]

What happened?

According to Bucket.s3.aws.crossplane.io/v1beta1 the field forProvider.acl is not required. Trying to create a bucket without that field results in the following error.

Warning CannotObserveExternalResource 2m35s managed/bucket.s3.aws.crossplane.io operation error S3: PutBucketAcl, https response error StatusCode: 400, RequestID: QY0AE14G1CN80A7W, HostID: lwpqjjI7hCv8dFRNBu4t0jNGy3q2erUDi9rdmk7n+v/h5+TF9LmaYQg1XxenBtyhZM7H4hm6GTk=, api error MissingSecurityHeader: Your request was missing a required header

May be related to Error when creating S3 bucket · Issue #1525 · crossplane-contrib/provider-aws.

How can we reproduce it?

Try to create bucket with this manifest.

apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: mmu-foo
spec:
  forProvider:
    locationConstraint: eu-central-1
  writeConnectionSecretToRef:
    namespace: default
    name: mmu-s3-credentials

What environment did it happen in?

Crossplane version: 1.10.0 + crossplane/provider-aws:v0.32.0

[MisterMX]

I have encountered this as well.

However, I don't think this is an issue with the provider because acl isn't required in the AWS API as well.

[plinde]

Try adding acl: private under the forProvider.

The canned ACL to apply to the bucket. Note that either canned ACL or specific access permissions are required. If neither (or both) are provided, the creation of the bucket will fail.

https://doc.crds.dev/github.com/crossplane/provider-aws/s3.aws.crossplane.io/Bucket/v1beta1

apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: mmu-foo
spec:
  forProvider:
    locationConstraint: eu-central-1
    acl: private
  writeConnectionSecretToRef:
    namespace: default
    name: mmu-s3-credentials

[mathias-muench]

Try adding acl: private under the forProvider.

This is what I did and it works. I think it is more about a documentation bug. At least for me, https://doc.crds.dev/github.com/crossplane/provider-aws/s3.aws.crossplane.io/Bucket/v1beta1 just reads "acl: The canned ACL to apply to the bucket."

[openstep]

Bucket is created but error on k8s side

apiVersion: s3.aws.crossplane.io/v1beta1
kind: Bucket
metadata:
  name: crossplane-bucket-xxx
  annotations:
    crossplane.io/external-name: crossplane-bucket-xxx
spec:
  forProvider:
    locationConstraint: eu-central-1
    acl: private
  providerConfigRef:
    name: default

kubectl get buckets
NAME                             READY   SYNCED   AGE
crossplane-bucket-xxx   False   False    17s

 message: 'observe failed: operation error S3: PutBucketAcl, https response error
      StatusCode: 400, RequestID: xxxxx HostID: yyyyyy,
      api error AccessControlListNotSupported: The bucket does not allow ACLs'

[MisterMX]

AFAIK ACLs are deprecated by AWS and spec.forProvider.objectOwnership should be used instead.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

By default, Object Ownership is set to the Bucket owner enforced setting and all ACLs are disabled. When ACLs are disabled, the bucket owner owns all the objects in the bucket and manages access to data exclusively using access management policies.

[MisterMX]

Closing this as this is not a provider issue. Feel free to reopen if that changes.