Merge pull request #4224 from Skarlso/fix-malformed-s3-policy

fix: malformed s3 arn due to incorrect string formatting

Author: k8s-ci-robot

pkg/cloud/services/s3/s3.go

@@ -244,7 +244,7 @@ func (s *Service) bucketPolicy(bucketName string) (string, error) {
 			Sid:    "control-plane",
 			Effect: iam.EffectAllow,
 			Principal: map[iam.PrincipalType]iam.PrincipalID{
-				iam.PrincipalAWS: []string{fmt.Sprintf("arn:%s:iam::%s:role/%s", s.scope, *accountID.Account, bucket.ControlPlaneIAMInstanceProfile)},
+				iam.PrincipalAWS: []string{fmt.Sprintf("arn:%s:iam::%s:role/%s", partition, *accountID.Account, bucket.ControlPlaneIAMInstanceProfile)},
 			},
 			Action:   []string{"s3:GetObject"},
 			Resource: []string{fmt.Sprintf("arn:%s:s3:::%s/control-plane/*", partition, bucketName)},

pkg/cloud/services/s3/s3_test.go

@@ -172,6 +172,10 @@ func TestReconcileBucket(t *testing.T) {
 			if !strings.Contains(policy, fmt.Sprintf("%s/node/*", bucketName)) {
 				t.Errorf("At least one policy should apply for all objects with %q prefix, got: %v", "node", policy)
 			}
+
+			if !strings.Contains(policy, "arn:aws:iam::foo:role/control-plane.cluster-api-provider-aws.sigs.k8s.io") {
+				t.Errorf("Expected arn to contain the right principal; got: %v", policy)
+			}
 		}).Return(nil, nil).Times(1)
 
 		if err := svc.ReconcileBucket(); err != nil {