Merge pull request #1887 from Lawiss/add-s3-acl-to-cli

michael-myaskovsky · web-flow · commit da033fb5b60c · 2025-05-07T11:40:21.000+03:00
Adds --s3-acl option to the cli to be able to set S3 report permissions.
diff --git a/elementary/clients/s3/client.py b/elementary/clients/s3/client.py
@@ -41,11 +41,15 @@ def send_report(
         bucket_report_path = remote_bucket_file_path or report_filename
         bucket_website_url = None
         logger.info(f'Uploading to S3 bucket "{self.config.s3_bucket_name}"')
+
+        extra_args = {"ContentType": "text/html"}
+        if self.config.s3_acl is not None:
+            extra_args["ACL"] = self.config.s3_acl
         self.client.upload_file(
             local_html_file_path,
             self.config.s3_bucket_name,
             bucket_report_path,
-            ExtraArgs={"ContentType": "text/html"},
+            ExtraArgs=extra_args,
         )
         logger.info("Uploaded report to S3.")
         if self.config.update_bucket_website:
diff --git a/elementary/config/config.py b/elementary/config/config.py
@@ -62,6 +62,7 @@ def __init__(
         aws_session_token: Optional[str] = None,
         s3_endpoint_url: Optional[str] = None,
         s3_bucket_name: Optional[str] = None,
+        s3_acl: Optional[str] = None,
         google_project_name: Optional[str] = None,
         google_service_account_path: Optional[str] = None,
         gcs_bucket_name: Optional[str] = None,
@@ -159,6 +160,7 @@ def __init__(
         self.aws_access_key_id = aws_access_key_id
         self.aws_secret_access_key = aws_secret_access_key
         self.aws_session_token = aws_session_token
+        self.s3_acl = s3_acl
 
         google_config = config.get(self._GOOGLE, {})
         self.google_project_name = self._first_not_none(
diff --git a/elementary/monitor/cli.py b/elementary/monitor/cli.py
@@ -526,6 +526,12 @@ def report(
     default=None,
     help="The name of the S3 bucket to upload the report to.",
 )
+@click.option(
+    "--s3-acl",
+    type=str,
+    default=None,
+    help="S3 Canned ACL value used to modify report permissions, for example set to 'public-read' to make the report publicly accessible.",
+)
 @click.option(
     "--google-service-account-path",
     type=str,
@@ -638,6 +644,7 @@ def send_report(
     aws_session_token,
     s3_endpoint_url,
     s3_bucket_name,
+    s3_acl,
     azure_connection_string,
     azure_container_name,
     google_service_account_path,
@@ -686,6 +693,7 @@ def send_report(
         azure_container_name=azure_container_name,
         s3_endpoint_url=s3_endpoint_url,
         s3_bucket_name=s3_bucket_name,
+        s3_acl=s3_acl,
         google_service_account_path=google_service_account_path,
         google_project_name=google_project_name,
         gcs_bucket_name=gcs_bucket_name,
