Aws_cloudfront: Issue when enabling logging for cloudfront distribution

[amkac]

Describe the bug

I’m trying to enable CloudFront distribution logging with an S3 bucket, but I’m encountering an issue with the logging bucket. According to the documentation https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront-readme.html#logging It's possible to create a bucket logs with the props enableLogging

new cloudfront.Distribution(this, 'myDist', {
  defaultBehavior: { origin: ...  },
  enableLogging: true,
});

However, I’m getting the following error:
"Access denied for operation 'You don't have permission to access the S3 bucket for CloudFront logs: ...-78ioohdal29u.s3.eu-central-2.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL."

I also tried specifying the bucket for logging, but I received the same error :

new cloudfront.Distribution(this, 'myDist', {
 defaultBehavior: { origin: ...  },
 logBucket: new s3.Bucket(this, 'CloudFrontLogBucket', {
     objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
     removalPolicy: RemovalPolicy.DESTROY,
     autoDeleteObjects: true
  }
});

It seems that the issue is related to missing permissions for the S3 bucket.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The logs should be stored in the S3 bucket.

Current Behavior

When attempting to enable logging for the CloudFront distribution the following error occurred
"Access denied for operation 'You don't have permission to access the S3 bucket for CloudFront logs: ...-78ioohdal29u.s3.eu-central-2.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL."

Reproduction Steps

cdk deploy

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.176.0

Framework Version

No response

Node.js Version

20.18.2

OS

Ubuntu

Language

TypeScript

Language Version

No response

Other information

No response

[ashishdhingra]

@amkac Good morning. Thanks for opening the issue. The error itself is self-explanatory. The role used by cdk deploy doesn't have permission to set S3 bucket ACL. CDK bootstrapping process creates several role as mentioned in Default resources created during bootstrapping. Is your environment bootstrapped with custom DeploymentActionRole? Or if during cdk deploy, you are using --role-arn to use custom role for deployment?

Also, could you try using --verbose flag while using cdk deploy to see what role is asumed?

Thanks,
Ashish