Description
Summary
I'm trying to do an S3 putObject using and S3 SDK service integration that references an S3 bucket created in the same serverless.yml file.
I tried to reference the bucket's name using Ref: bucketResource something like as follows:
Write to an S3 Bucket defined in serverless.yml:
Type: Task
Resource: arn:aws:states:::aws-sdk:s3:putObject
Parameters:
Bucket:
Ref: myBucketReference
Key: Foo
Body: Bar
End: trueBut it fails to generate the correct IAM policy definition. It generates something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::[object Object]/*"
],
"Effect": "Allow"
}
]
}(Notice the [object Object] instead of the resolved S3 bucket name).
Whereas it generates the correct IAM permissions when I invoke a Lambda function that references a Lambda function defined in the same `serverless.yml file.
Invoke Lambda defined in serverless.yml:
Type: Task
Resource:
Fn::GetAtt: [myLambdaResource, Arn]Possible Root Cause
From my investigation it looks like the getS3ObjectPermissions() function in compileIamRole.js (here) is too simplistic and just assumes the bucket field specified is a string literal rather than possibly being a reference.
As I mentioned above, references and other intrinsic functions such as Fn::GetAtt are supported for other resources, but it seems the IAM permissions generation for S3 resources is currently lacking this.
Possible Solution
I modified the getS3ObjectPermissions() function locally to implement a possible solution, and it seems to work for me. I have submitted PR #648 for consideration.
I am happy to modify it as needed, or have it superseded by a better solution, but it would be great to fix this.