add policy to read bucket

Author: juancarle

lib/deploy/stepFunctions/compileIamRole.js

@@ -586,33 +586,40 @@ function getS3ObjectPermissions(action, state) {
   const bucket = state.Parameters.Bucket || '*';
   const key = state.Parameters.Key || '*';
   const prefix = state.Parameters.Prefix;
-  let resource;
+  let arn;
 
-  if (action === 's3:AmazonS3ReadOnlyAccess') {
-    action = [
-      's3:Get*',
-      's3:List*',
-      's3:Describe*',
-      's3-object-lambda:Get*',
-      's3-object-lambda:List*'
-    ];
-    resource = [
-      `arn:aws:s3:::${bucket}`,
-      `arn:aws:s3:::${bucket}/*`
+  if (action === 's3:listObjectsV2') {
+    return [
+      {
+        action: 's3:Get*',
+        resource: [
+          `arn:aws:s3:::${bucket}`,
+          `arn:aws:s3:::${bucket}/*`
+        ]
+      },
+      {
+        action: 's3:List*',
+        resource: [
+          `arn:aws:s3:::${bucket}`,
+          `arn:aws:s3:::${bucket}/*`
+        ]
+      }
     ];
+  }
+
+  if (prefix) {
+    arn = `arn:aws:s3:::${bucket}/${prefix}/${key}`;
   } else if (bucket === '*' && key === '*') {
-    resource = '*';
-  } else if (prefix & key) {
-    resource = `arn:aws:s3:::${bucket}/${prefix}/${key}`;
-  } else if (prefix) {
-    resource = `arn:aws:s3:::${bucket}/${prefix}`;
+    arn = '*';
   } else {
-    resource = `arn:aws:s3:::${bucket}/${key}`;
+    arn = `arn:aws:s3:::${bucket}/${key}`;
   }
 
   return [{
     action,
-    resource,
+    resource: [
+      arn,
+    ],
   }];
 }
 
@@ -751,7 +758,7 @@ function getIamPermissions(taskStates) {
         return getS3ObjectPermissions('s3:PutObject', state);
       case 'arn:aws:states:::s3:listObjectsV2':
       case 'arn:aws:states:::aws-sdk:s3:listObjectsV2':
-        return getS3ObjectPermissions('s3:AmazonS3ReadOnlyAccess', state);
+        return getS3ObjectPermissions('s3:listObjectsV2', state);
 
       default:
         if (isIntrinsic(state.Resource) || !!state.Resource.match(/arn:aws(-[a-z]+)*:lambda/)) {