@@ -225,6 +225,9 @@ func (s *Service) Delete(m *scope.MachineScope) error {
225225func (s * Service ) createBucketIfNotExist (bucketName string ) error {
226226 input := & s3.CreateBucketInput {
227227 Bucket : aws .String (bucketName ),
228+ CreateBucketConfiguration : & s3.CreateBucketConfiguration {
229+ LocationConstraint : aws .String (s .scope .Region ()),
230+ },
228231 }
229232
230233 _ , err := s .S3Client .CreateBucket (input )
@@ -251,11 +254,6 @@ func (s *Service) createBucketIfNotExist(bucketName string) error {
251254}
252255
253256func (s * Service ) ensureBucketPolicy (bucketName string ) error {
254- if s .scope .Bucket ().PresignedURLDuration != nil {
255- // If presigned URL is enabled, we don't need to set bucket policy.
256- return nil
257- }
258-
259257 bucketPolicy , err := s .bucketPolicy (bucketName )
260258 if err != nil {
261259 return errors .Wrap (err , "generating Bucket policy" )
@@ -322,15 +320,6 @@ func (s *Service) bucketPolicy(bucketName string) (string, error) {
322320 partition := system .GetPartitionFromRegion (s .scope .Region ())
323321
324322 statements := []iam.StatementEntry {
325- {
326- Sid : "control-plane" ,
327- Effect : iam .EffectAllow ,
328- Principal : map [iam.PrincipalType ]iam.PrincipalID {
329- iam .PrincipalAWS : []string {fmt .Sprintf ("arn:%s:iam::%s:role/%s" , partition , * accountID .Account , bucket .ControlPlaneIAMInstanceProfile )},
330- },
331- Action : []string {"s3:GetObject" },
332- Resource : []string {fmt .Sprintf ("arn:%s:s3:::%s/control-plane/*" , partition , bucketName )},
333- },
334323 {
335324 Sid : "ForceSSLOnlyAccess" ,
336325 Effect : iam .EffectDeny ,
@@ -347,16 +336,30 @@ func (s *Service) bucketPolicy(bucketName string) (string, error) {
347336 },
348337 }
349338
350- for _ , iamInstanceProfile := range bucket .NodesIAMInstanceProfiles {
351- statements = append (statements , iam.StatementEntry {
352- Sid : iamInstanceProfile ,
353- Effect : iam .EffectAllow ,
354- Principal : map [iam.PrincipalType ]iam.PrincipalID {
355- iam .PrincipalAWS : []string {fmt .Sprintf ("arn:%s:iam::%s:role/%s" , partition , * accountID .Account , iamInstanceProfile )},
356- },
357- Action : []string {"s3:GetObject" },
358- Resource : []string {fmt .Sprintf ("arn:%s:s3:::%s/node/*" , partition , bucketName )},
359- })
339+ if bucket .PresignedURLDuration == nil {
340+ if bucket .ControlPlaneIAMInstanceProfile != "" {
341+ statements = append (statements , iam.StatementEntry {
342+ Sid : "control-plane" ,
343+ Effect : iam .EffectAllow ,
344+ Principal : map [iam.PrincipalType ]iam.PrincipalID {
345+ iam .PrincipalAWS : []string {fmt .Sprintf ("arn:%s:iam::%s:role/%s" , partition , * accountID .Account , bucket .ControlPlaneIAMInstanceProfile )},
346+ },
347+ Action : []string {"s3:GetObject" },
348+ Resource : []string {fmt .Sprintf ("arn:%s:s3:::%s/control-plane/*" , partition , bucketName )},
349+ })
350+ }
351+
352+ for _ , iamInstanceProfile := range bucket .NodesIAMInstanceProfiles {
353+ statements = append (statements , iam.StatementEntry {
354+ Sid : iamInstanceProfile ,
355+ Effect : iam .EffectAllow ,
356+ Principal : map [iam.PrincipalType ]iam.PrincipalID {
357+ iam .PrincipalAWS : []string {fmt .Sprintf ("arn:%s:iam::%s:role/%s" , partition , * accountID .Account , iamInstanceProfile )},
358+ },
359+ Action : []string {"s3:GetObject" },
360+ Resource : []string {fmt .Sprintf ("arn:%s:s3:::%s/node/*" , partition , bucketName )},
361+ })
362+ }
360363 }
361364
362365 policy := iam.PolicyDocument {
0 commit comments