search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 819 forks source link

resources.s3AuthReadPolicy.policyDocument.Statement is undefined in override.ts #11290

Closed ajspetner closed 1 year ago

ajspetner commented 1 year ago

I can override s3AuthPublicPolicy with the following:

export function override(resources: AmplifyS3ResourceTemplate) {
  resources.s3AuthPublicPolicy.policyDocument.Statement = [
    ...resources.s3AuthPublicPolicy.policyDocument.Statement,
    myRule1,
    myRule2
  ];
}

However, when I try doing the same for s3AuthReadPolicy, I get the following message: 🛑 Error: Skipping override due to TypeError: resources.s3AuthReadPolicy.policyDocument.Statement is not iterable When I do console.log(resources.s3AuthReadPolicy.policyDocument.Statement), I get undefined. However, if I do console.log(JSON.stringify(resources.s3AuthReadPolicy.policyDocument)), I do see the Statement object in the JSON.

ykethan commented 1 year ago

Hey @ajspetner, thank you reaching out. On diving deeper into the behaviour. I was able to find the following. the resources.s3AuthPublicPolicy.policyDocument.Statement utilizes the following structure.

{
    Effect: 'Allow',
    Action: { 'Fn::Split': [Array] },
    Resource: [ [Object] ]
  }

while the resources.s3AuthReadPolicy.policyDocument.statements utilizes following

PolicyStatement {
    _action: [ 's3:GetObject' ],
    _notAction: [],
    _principal: {},
    _notPrincipal: {},
    _resource: [ '${Token[Fn::Join.1151]}' ],
    _notResource: [],
    _condition: {},
    _principals: [],
    _notPrincipals: [],
    sid: undefined,
    effect: 'Allow'
  },

which expects a IAM document structure.

As workaround, I able to use the following to add the statement which copies a existing policy statement and adds the required statements.

var copy = resources.s3AuthReadPolicy.policyDocument.statements[0];
copy._action = 's3:PutObject';
copy._resource = 'arn';
copy.effect = 'Allow';
resources.s3AuthReadPolicy.policyDocument.statements.push(copy);

on a push I was able to see the permission in the IAM policy on AWS console. Additionally, we can try to utilize amplify add custom to utilize the IAM cdk library to create a Policy statement and add it to the existing bucket.

ykethan commented 1 year ago

Hey @ajspetner, following up on this issue. Please do let us know if you require any assistance.

josefaidt commented 1 year ago

Closing due to inactivity

dumulnet commented 1 year ago

All other solutions don't work and this seems to be the current solution for now.

ScottSWu commented 1 year ago

Hi, I'm running into this issue on @aws-amplify/cli==11.0.5 and @aws-amplify/cli-extensibility-helper==3.0.0. Is there any plan to make the types consistent? Or accept PRs to do so?

chrisl777 commented 1 year ago

This issue is still happening. When I follow the docs, I get the Statement is not iterable error. (For reference, the docs I followed: https://docs.amplify.aws/cli/storage/override/.)

Building on a workaround above, I found something like this approach did not cause an error. 

resources.s3GuestReadPolicy.policyDocument.statements.push({
    Effect: "Allow",
    Action: "s3:GetObject",
    Resource: `${resources.s3Bucket.attrArn}/public/*` 
  })