do not attempt to set_object_acl for a bucket without ACLs

gardenlinux · Nov 20, 2024 · 21d97f7 · 21d97f7
1 parent f1e839a
commit 21d97f7
Showing 1 changed file with 20 additions and 5 deletions.
diff --git a/glci/aws.py b/glci/aws.py
@@ -454,6 +454,20 @@ def attach_tags(
     ))
 
 
+def is_bucket_acl_enabled(
+    s3_client: 'botocore.client.S3',
+    bucket_name: str
+) -> bool:
+    bucket_acl = response_ok(s3_client.get_bucket_acl(Bucket=bucket_name))
+    owner_id = bucket_acl['Owner'].get('ID', None)
+    for grant in bucket_acl['Grants']:
+        if (grant['Grantee']['Type'] == "CanonicalUser" and
+            grant['Grantee'].get('ID', "") == owner_id and 
+            grant['Permission'] == "FULL_CONTROL"):
+            return False
+    return True
+
+
 def upload_and_register_gardenlinux_image(
     aws_publishing_cfg: glci.model.PublishingTargetAWS,
     publishing_cfg: glci.model.PublishingCfg,
@@ -485,11 +499,12 @@ def upload_and_register_gardenlinux_image(
         # make blob public prior to importing (snapshot-import will otherwise break, e.g. if
         # bucket is not entirely configured to be public)
         try:
-            s3_client.put_object_acl(
-                ACL='public-read',
-                Bucket=bucket_name,
-                Key=raw_image_key,
-            )
+            if is_bucket_acl_enabled(s3_client=s3_client, bucket_name=bucket_name):
+                s3_client.put_object_acl(
+                    ACL='public-read',
+                    Bucket=bucket_name,
+                    Key=raw_image_key,
+                )
         except:
             logger.warning('failed to set s3-blob to public - snapshot-import might fail')
             traceback.print_exc()