S3 bucket policy fails to reconcile because of difference in whitespace/new lines #2591
Description
Describe the bug
Very similar to #2421. S3 controller keeps attempting to reconcile the bucket policy due to white space/new lines.
** Steps to reproduce **
Set the following Bucket policy:
apiVersion: s3.services.k8s.aws/v1alpha1
kind: Bucket
metadata:
name: milvus-454109122
annotations:
argocd.argoproj.io/sync-wave: "0"
services.k8s.aws/adoption-policy: "adopt-or-create"
s3.services.k8s.aws/deletion-policy: retain
services.k8s.aws/adoption-fields: |
{ "arn" : "arn:aws:s3:::milvus-454109122" }
labels:
helm.sh/chart: helm-milvus-0.1.1
app.kubernetes.io/name: helm-milvus
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "2.4.0"
app.kubernetes.io/managed-by: Helm
spec:
encryption:
rules:
- applyServerSideEncryptionByDefault:
sseAlgorithm: AES256
bucketKeyEnabled: false
name: milvus-454109122
objectOwnership: ObjectWriter
createBucketConfiguration:
locationConstraint: eu-west-1
policy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::milvus-454109122/*",
"arn:aws:s3:::milvus-454109122"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject*",
"s3:GetObject*",
"s3:DeleteObject*",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::milvus-454109122/*",
"arn:aws:s3:::milvus-454109122"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutBucketPolicy",
"s3:PutBucketAcl",
"s3:GetBucketPolicy",
"s3:GetBucketAcl",
"s3:DeleteBucketPolicy"
],
"Resource": "arn:aws:s3:::milvus-454109122",
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3"
]
}
}
}
]
}
publicAccessBlock:
blockPublicACLs: true
blockPublicPolicy: true
ignorePublicACLs: true
restrictPublicBuckets: true
tagging: # https://github.com/aws-controllers-k8s/community/issues/2418 they diverted from the spec, there are plans to use tags instead of tagSet
tagSet:
- key: "team"
value: "ai"
- key: "component"
value: "milvus"
it gets created properly. Then next sync, the controller reports:
{
"level": "info",
"ts": "2025-08-05T09:50:25.483Z",
"logger": "ackrt",
"msg": "desired resource state has changed",
"kind": "Bucket",
"namespace": "milvus",
"name": "milvus-454109122",
"account": "345156409809",
"role": "",
"region": "eu-west-1",
"is_adopted": false,
"generation": 1,
"diff": [
{
"Path": {
"Parts": [
"Spec",
"OwnershipControls",
"Rules"
]
},
"A": null,
"B": [
{
"objectOwnership": "ObjectWriter"
}
]
},
{
"Path": {
"Parts": [
"Spec",
"Policy"
]
},
"A": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::milvus-454109122/*\",\n \"arn:aws:s3:::milvus-454109122\"\n ],\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": [\n \"s3:PutObject*\",\n \"s3:GetObject*\",\n \"s3:DeleteObject*\",\n \"s3:ListBucket\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::milvus-454109122/*\",\n \"arn:aws:s3:::milvus-454109122\"\n ],\n \"Condition\": {\n \"ArnNotLike\": {\n \"aws:PrincipalArn\": [\n \"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"\n ]\n }\n }\n },\n {\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": [\n \"s3:PutBucketPolicy\",\n \"s3:PutBucketAcl\",\n \"s3:GetBucketPolicy\",\n \"s3:GetBucketAcl\",\n \"s3:DeleteBucketPolicy\"\n ],\n \"Resource\": \"arn:aws:s3:::milvus-454109122\",\n \"Condition\": {\n \"ArnNotLike\": {\n \"aws:PrincipalArn\": [\n \"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"\n ]\n }\n }\n }\n ]\n}\n",
"B": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::milvus-454109122/*\",\"arn:aws:s3:::milvus-454109122\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":[\"s3:PutObject*\",\"s3:GetObject*\",\"s3:DeleteObject*\",\"s3:ListBucket\"],\"Resource\":[\"arn:aws:s3:::milvus-454109122/*\",\"arn:aws:s3:::milvus-454109122\"],\"Condition\":{\"ArnNotLike\":{\"aws:PrincipalArn\":\"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"}}},{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":[\"s3:PutBucketPolicy\",\"s3:PutBucketAcl\",\"s3:GetBucketPolicy\",\"s3:GetBucketAcl\",\"s3:DeleteBucketPolicy\"],\"Resource\":\"arn:aws:s3:::milvus-454109122\",\"Condition\":{\"ArnNotLike\":{\"aws:PrincipalArn\":\"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"}}}]}"
}
]
}
Expected outcome
Environment
- Using EKS: yes, 1.31
- AWS service targeted: s3
Metadata
Metadata
Assignees
Labels
No labels