try to create AP every time, catch if already exists

[SofiaSazonova]

Feature or Bugfix

• Bugfix

Detail

• Try to create AP every time we process the share
• Catch error if it already exists
• Retry on put_access_point_policy

Relates

• NoSuchAccessPoint exception during share processing #1608

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

• Does this PR introduce or modify any input fields or queries - this includes
  fetching data from storage outside the application (e.g. a database, an S3 bucket)?
  • Is the input sanitized?
  • What precautions are you taking before deserializing the data you consume?
  • Is injection prevented by parametrizing queries?
  • Have you ensured no eval or similar functions are used?
• Does this PR introduce any functionality or component that requires authorization?
  • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  • Are you logging failed auth attempts?
• Are you using or adding any cryptographic features?
  • Do you use a standard proven implementations?
  • Are the used keys controlled by the customer? Where are they stored?
• Are you introducing any new policies/roles/users?
  • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[petrkalos]

some nits and a question

[petrkalos]

why do we need this now and didn't need it previously?

[SofiaSazonova]

This is in case AP is not yet created. Before the retry part was in creation of of AP

[petrkalos]

I would explicitly encapsulate the Retry mechanism in the create_bucket_access_point to ensure that all calls to it return when the bucket is created.

For example something like the below....

    def create_bucket_access_point(self, bucket_name: str, access_point_name: str):
        try:
            self._client.create_access_point(AccountId=self._account_id, Name=access_point_name, Bucket=bucket_name)
        except self._client.exceptions.AccessPointAlreadyOwnedByYou:
            ...
        except Exception as e:
            log.exception(f'S3 bucket access point creation failed for location {bucket_name=}')
            raise e
        return Retrying(
            retry_on_exception=(self._client.exceptions.NotFoundException,),
            stop_max_attempt_number=5,
            wait_random_min=1000,
            wait_random_max=3000,
        ).call(self.get_bucket_access_point_arn, access_point_name)['AccessPointArn']

Also you must make sure that you wait enough time. Previous code was waiting for 300secs++, yours wait from 5 to 15 seconds.

[SofiaSazonova]

Won't it lead us to the same error? If get_access_point_arn will fail, we again receive the problem of Negative Cash?

[SofiaSazonova]

also, there is no self._client.exceptions.AccessPointAlreadyOwnedByYou: so, I have to check the string

[petrkalos]

unused

[petrkalos]

you could use @retry(retry_on_result=lambda arn: arn is None, stop_max_attempt_number=10, wait_fixed=30000)