Cannot reference `${construct:{myBucket}.bucketName}/*` directly when setting IAM permissions

Question

Cannot reference `${construct:{myBucket}.bucketName}/*` directly when setting IAM permissions

r-token opened this issue 2 years ago · 1 comments

Description

I'm using the storage construct to create an S3 bucket and need to refer to the ARN + /* for various IAM permissions.

Referring to ${construct:myBucket.bucketArn}/*, though, throws a MalformedPolicyDocument error that says Resource [object Object]/* must be in ARN format or "*"

Is there a way to get the full ARN and then append the /* for things like s3:GetObject and s3:PutObject without doing the whole Fn::Join dance?

How to Reproduce

The following yaml will reproduce this error:

iam:
  role:
    statements:
      - Effect: Allow
        Action:
          - s3:GetObject
          - s3:PutObject
        Resource:
          - "${construct:myBucket.bucketArn}/*"

Referencing the construct and appending /* will throw the Resource [object Object]/* must be in ARN format or "*" error mentioned above.

Additional Information

Versions:

Serverless Framework v3.29.0
serverless-lift v1.25.1

Fn::Join workaround:

iam:
  role:
    statements:
      - Effect: Allow
        Action:
          - s3:GetObject
        Resource:
          - Fn::Join:
            - ''
            - - "${construct:myBucket.bucketArn}"
              - "/*"

Answer 1 · 2023-04-26T09:52:29.000Z

Hey Ryan!

Unfortunately the workaround is the right approach. Since Lift variables are resolved into !Ref ..., you cannot use them inside strings with interpolation like you did.

I'm going to close this one as this is the expected behavior, let me know if you have other ideas!