feat: add support for having a task be based on an object in S3 using AWS SDK service integration

Author: jswift

lib/deploy/stepFunctions/compileIamRole.js

@@ -372,6 +372,15 @@ function getEventBridgePermissions(state) {
   ];
 }
 
+function getS3GetObjectPermissions(state) {
+  return [{
+    action: 's3:GetObject',
+    resource: [
+      `arn:aws:s3:::${state.Parameters.Bucket}/${state.Parameters.Key}`,
+    ],
+  }];
+}
+
 // if there are multiple permissions with the same action, then collapsed them into one
 // permission instead, and collect the resources into an array
 function consolidatePermissionsByAction(permissions) {
@@ -470,6 +479,9 @@ function getIamPermissions(taskStates) {
       case 'arn:aws:states:::events:putEvents.waitForTaskToken':
         return getEventBridgePermissions(state);
 
+      case 'arn:aws:states:::aws-sdk:s3:getObject':
+        return getS3GetObjectPermissions(state);
+
       default:
         if (isIntrinsic(state.Resource) || !!state.Resource.match(/arn:aws(-[a-z]+)*:lambda/)) {
           const trimmedArn = trimAliasFromLambdaArn(state.Resource);

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -1046,6 +1046,47 @@ describe('#compileIamRole', () => {
     expectDenyAllPolicy(policy);
   });
 
+  it('should give s3:GetObject permission for only objects referenced by state machine', () => {
+    const hello = 'hello.txt';
+    const world = 'world.txt';
+    const testBucket = 'test-bucket';
+
+    const genStateMachine = (id, bucket, key) => ({
+      id,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::aws-sdk:s3:getObject',
+            Parameters: {
+              Bucket: bucket,
+              Key: key,
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('StateMachine1', testBucket, hello),
+        myStateMachine2: genStateMachine('StateMachine2', testBucket, world),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const resources = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources;
+    const policy1 = resources.StateMachine1Role.Properties.Policies[0];
+    const policy2 = resources.StateMachine2Role.Properties.Policies[0];
+    expect(policy1.PolicyDocument.Statement[0].Resource)
+      .to.be.deep.equal([`arn:aws:s3:::${testBucket}/${hello}`]);
+    expect(policy2.PolicyDocument.Statement[0].Resource)
+      .to.be.deep.equal([`arn:aws:s3:::${testBucket}/${world}`]);
+  });
+
   it('should not generate any permissions for Task states not yet supported', () => {
     const genStateMachine = id => ({
       id,