bug: cdklocal call to S3 put_public_access_block fails with 'Access Denied'

[jrobbins-LiveData]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The following Python code running in a cdk stack

    s3_client.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration=dict(
            BlockPublicAcls=True,
            IgnorePublicAcls=True,
            BlockPublicPolicy=True,
            RestrictPublicBuckets=True
        ),
        ExpectedBucketOwner=stack.ensure_context('account')
    )

fails during cdklocal bootstrap with this traceback

  File [REDACTED] in copy_to_s3
    s3_client.put_public_access_block(
  File ".venv\Lib\site-packages\botocore\client.py", line 565, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".venv\Lib\site-packages\botocore\client.py", line 1021, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutPublicAccessBlock operation: Access Denied

Subprocess exited with error 1

### Expected Behavior

I expected the call to set the indicated PublicAccessBlockConfiguration on the bucket.

### How are you starting LocalStack?

Custom (please describe below)

### Steps To Reproduce

#### How are you starting localstack (e.g., `bin/localstack` command, arguments, or `docker-compose.yml`)

    using the docker desktop extension

#### Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

    cdklocal bootstrap


### Environment

```markdown
- OS: Windows 10 
- LocalStack: 3.4.0

Anything else?

Other S3 boto3 calls work, so I am assuming that this is a particular problem with the put_public_access_block call implementation?

[localstack-bot]

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

[bentsku]

Hello @jrobbins-LiveData and thanks for your report!

Could you share LocalStack logs when this happens? You can enable more verbose logs with LS_LOG=trace and look for PutPublicAccessBlock, we should get more information about that request.

Looking at our implementation, I'm not seeing anything that would raise AccessDenied. Do you start LocalStack with any specific configuration? Thanks!

[jrobbins-LiveData]

I'm running LocalStack via the Docker Desktop extension. This is my Configuration -- is the LS_LOG setting correct?

I am running cdklocal bootstrap. Do I have to configure anything special to "point it" at my localstack?

The run fails consistently with the "Access Denied" error. Here's the log:

localstack_log.txt