fix: added support for generating S3 permissions using Bucket references #648
Conversation
| `arn:aws:s3:::${bucket}/*`, | ||
| ], | ||
| resource: resolveS3BucketReferences(bucket, [ | ||
| `arn:aws:s3:::\${bucket}`, |
There was a problem hiding this comment.
I decided to keep the strings as template literals and just escape the ${bucket} so it wasn't interpolated here, but in the resolveS3BucketReferences() function.
This is because other affected strings below uses other variables such as ${prefix} and ${key} and so they needed to remain template literals to have those interpolated correctly.
So I decided for consistency I would keep them all as template literals and uniformly escape the ${bucket} references.
There was a problem hiding this comment.
After review, I changed my mind and decided to use unescaped single quoted strings with a comment as I felt it was easier for the reader to understand why bucket wasn't being interpolated directly here.
|
It looks good. Could you add a test so we can see the compiled IAM template? |
That's great. Sorry for the delay here. I'm currently under a project deadline squeeze for the next 3 weeks, but I'll get to it once that we've hit that release milestone unless someone else wants to add one ahead of that. |
danrivett
force-pushed
the
647-resolve-s3-bucket-reference-in-iam-permissions
branch
from
6795e01 to
a0f6bd2
Compare
| resource: resolveS3BucketReferences(bucket, [ | ||
| 'arn:aws:s3:::${bucket}', | ||
| 'arn:aws:s3:::${bucket}/*', | ||
| ]), | ||
| }, | ||
| { | ||
| action: 's3:List*', | ||
| resource: [ | ||
| `arn:aws:s3:::${bucket}`, | ||
| `arn:aws:s3:::${bucket}/*`, | ||
| ], | ||
| resource: resolveS3BucketReferences(bucket, [ | ||
| 'arn:aws:s3:::${bucket}', | ||
| 'arn:aws:s3:::${bucket}/*', | ||
| ]), |
There was a problem hiding this comment.
We no longer string interpolate the ${bucket} here (hence the change to single quotes), instead we interpolate it inside the new resolveS3BucketReferences() function as that handles being passed not just a string literal for the bucket value, but also an intrinsic function.
(I forgot I added a comment about this in my initial PR submission, so I added a comment there to clarify).
danrivett
force-pushed
the
647-resolve-s3-bucket-reference-in-iam-permissions
branch
from
a0f6bd2 to
228433e
Compare
danrivett
force-pushed
the
647-resolve-s3-bucket-reference-in-iam-permissions
branch
from
228433e to
14da7bf
Compare
|
@zirkelc I updated this PR to rebase it on the latest master branch as well as added unit tests. Please can you review the tests. Full disclosure: I used Claude Code to generate the tests, which I then lightly edited and reviewed. They seem fine to me and consistent with other tests in that file, but I don't know the codebase well enough to know for sure. If there are any further code review actions, please let me know. |
Resolves #647
Note: I'll add unit tests if the proposed solution in this PR is correct. This solution works for me, but I wasn't sure if there was a better way to fix this issue.