Skip to content

fix: added support for generating S3 permissions using Bucket references #648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: added support for generating S3 permissions using Bucket references #648

wants to merge 1 commit into from
+308 −10

Conversation

danrivett
Copy link
Contributor

Resolves #647

Note: I'll add unit tests if the proposed solution in this PR is correct. This solution works for me, but I wasn't sure if there was a better way to fix this issue.

@danrivett danrivett mentioned this pull request Apr 19, 2025
Open
danrivett
danrivett commented Apr 19, 2025
View reviewed changes
lib/deploy/stepFunctions/compileIamRole.js Outdated
`arn:aws:s3:::${bucket}/*`,
],
resource: resolveS3BucketReferences(bucket, [
`arn:aws:s3:::\${bucket}`,
Copy link
Contributor Author

@danrivett danrivett Apr 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I decided to keep the strings as template literals and just escape the ${bucket} so it wasn't interpolated here, but in the resolveS3BucketReferences() function.

This is because other affected strings below uses other variables such as ${prefix} and ${key} and so they needed to remain template literals to have those interpolated correctly.

So I decided for consistency I would keep them all as template literals and uniformly escape the ${bucket} references.

@zirkelc
Copy link
Collaborator

zirkelc commented May 1, 2025

It looks good. Could you add a test so we can see the compiled IAM template?

@danrivett
Copy link
Contributor Author

It looks good. Could you add a test so we can see the compiled IAM template?

That's great. Sorry for the delay here. I'm currently under a project deadline squeeze for the next 3 weeks, but I'll get to it once that we've hit that release milestone unless someone else wants to add one ahead of that.

@danrivett danrivett force-pushed the 647-resolve-s3-bucket-reference-in-iam-permissions branch from 6795e01 to a0f6bd2 Compare June 13, 2025 03:00
danrivett
danrivett commented Jun 13, 2025
View reviewed changes
lib/deploy/stepFunctions/compileIamRole.js
Comment on lines +666 to +676
resource: resolveS3BucketReferences(bucket, [
'arn:aws:s3:::${bucket}',
'arn:aws:s3:::${bucket}/*',
]),
},
{
action: 's3:List*',
resource: [
`arn:aws:s3:::${bucket}`,
`arn:aws:s3:::${bucket}/*`,
],
resource: resolveS3BucketReferences(bucket, [
'arn:aws:s3:::${bucket}',
'arn:aws:s3:::${bucket}/*',
]),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We no longer string interpolate the ${bucket} here (hence the change to single quotes), instead we interpolate it inside the new resolveS3BucketReferences() function as that handles being passed not just a string literal for the bucket value, but also an intrinsic function.

@danrivett danrivett force-pushed the 647-resolve-s3-bucket-reference-in-iam-permissions branch from a0f6bd2 to 228433e Compare June 13, 2025 03:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incorrect IAM Permissions generated when S3 Bucket Reference used
2 participants
@danrivett @zirkelc