search

getlift / lift

Expanding Serverless Framework beyond functions using the AWS CDK
MIT License
912 stars 111 forks source link

Cannot reference `${construct:{myBucket}.bucketName}/*` directly when setting IAM permissions #326

Closed r-token closed 1 year ago

r-token commented 1 year ago

Description

I'm using the storage construct to create an S3 bucket and need to refer to the ARN + /* for various IAM permissions.

Referring to ${construct:myBucket.bucketArn}/*, though, throws a MalformedPolicyDocument error that says Resource [object Object]/* must be in ARN format or "*"

Is there a way to get the full ARN and then append the /* for things like s3:GetObject and s3:PutObject without doing the whole Fn::Join dance?

How to Reproduce

The following yaml will reproduce this error:

iam:
  role:
    statements:
      - Effect: Allow
        Action:
          - s3:GetObject
          - s3:PutObject
        Resource:
          - "${construct:myBucket.bucketArn}/*"

Referencing the construct and appending /* will throw the Resource [object Object]/* must be in ARN format or "*" error mentioned above.

Additional Information

Versions:

Fn::Join workaround:

iam:
  role:
    statements:
      - Effect: Allow
        Action:
          - s3:GetObject
        Resource:
          - Fn::Join:
            - ''
            - - "${construct:myBucket.bucketArn}"
              - "/*"
mnapoli commented 1 year ago

Hey Ryan!

Unfortunately the workaround is the right approach. Since Lift variables are resolved into !Ref ..., you cannot use them inside strings with interpolation like you did.

I'm going to close this one as this is the expected behavior, let me know if you have other ideas!