fix: s3 perm requires ARN not bucket name

theburningmonk · theburningmonk · commit a9ff5db37567 · 2019-08-18T10:43:26.000+02:00
diff --git a/lib/package/s3/compileIamRoleToS3.js b/lib/package/s3/compileIamRoleToS3.js
@@ -2,6 +2,18 @@
 
 const _ = require('lodash')
 
+function convertToArn(bucket) {
+  // bucket can be either a Ref, or a string (bucket name)
+  if (bucket.Ref) {
+    const logicalId = bucket.Ref
+    return {
+      'Fn::GetAtt': [logicalId, 'Arn']
+    }
+  } else {
+    return `arn:aws:s3:::${bucket}`
+  }
+}
+
 module.exports = {
   compileIamRoleToS3() {
     const bucketActions = _.flatMap(this.getAllServiceProxies(), (serviceProxy) => {
@@ -29,7 +41,7 @@ module.exports = {
           'Fn::Sub': [
             '${bucket}/*',
             {
-              bucket
+              bucket: convertToArn(bucket)
             }
           ]
         }
diff --git a/lib/package/s3/compileIamRoleToS3.test.js b/lib/package/s3/compileIamRoleToS3.test.js
@@ -102,7 +102,7 @@ describe('#compileIamRoleToS3()', () => {
                       'Fn::Sub': [
                         '${bucket}/*',
                         {
-                          bucket: 'myBucket'
+                          bucket: 'arn:aws:s3:::myBucket'
                         }
                       ]
                     }
@@ -114,7 +114,7 @@ describe('#compileIamRoleToS3()', () => {
                       'Fn::Sub': [
                         '${bucket}/*',
                         {
-                          bucket: 'myBucket'
+                          bucket: 'arn:aws:s3:::myBucket'
                         }
                       ]
                     }
@@ -127,7 +127,7 @@ describe('#compileIamRoleToS3()', () => {
                         '${bucket}/*',
                         {
                           bucket: {
-                            Ref: 'MyBucket'
+                            'Fn::GetAtt': ['MyBucket', 'Arn']
                           }
                         }
                       ]
@@ -140,7 +140,7 @@ describe('#compileIamRoleToS3()', () => {
                       'Fn::Sub': [
                         '${bucket}/*',
                         {
-                          bucket: 'myBucketV2'
+                          bucket: 'arn:aws:s3:::myBucketV2'
                         }
                       ]
                     }

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ describe('#compileIamRoleToS3()', () => {`
`102`	`102`	`'Fn::Sub': [`
`103`	`103`	`'${bucket}/*',`
`104`	`104`	`{`
`105`		`- bucket: 'myBucket'`
	`105`	`+ bucket: 'arn:aws:s3:::myBucket'`
`106`	`106`	`}`
`107`	`107`	`]`
`108`	`108`	`}`
`@@ -114,7 +114,7 @@ describe('#compileIamRoleToS3()', () => {`
`114`	`114`	`'Fn::Sub': [`
`115`	`115`	`'${bucket}/*',`
`116`	`116`	`{`
`117`		`- bucket: 'myBucket'`
	`117`	`+ bucket: 'arn:aws:s3:::myBucket'`
`118`	`118`	`}`
`119`	`119`	`]`
`120`	`120`	`}`
`@@ -127,7 +127,7 @@ describe('#compileIamRoleToS3()', () => {`
`127`	`127`	`'${bucket}/*',`
`128`	`128`	`{`
`129`	`129`	`bucket: {`
`130`		`- Ref: 'MyBucket'`
	`130`	`+ 'Fn::GetAtt': ['MyBucket', 'Arn']`
`131`	`131`	`}`
`132`	`132`	`}`
`133`	`133`	`]`
`@@ -140,7 +140,7 @@ describe('#compileIamRoleToS3()', () => {`
`140`	`140`	`'Fn::Sub': [`
`141`	`141`	`'${bucket}/*',`
`142`	`142`	`{`
`143`		`- bucket: 'myBucketV2'`
	`143`	`+ bucket: 'arn:aws:s3:::myBucketV2'`
`144`	`144`	`}`
`145`	`145`	`]`
`146`	`146`	`}`