By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Allow S3 access to AWS Serverless Repo in IAM Policy

0

My IAM user that is responsible for deploying CDK templates has an IAM policy specified (Listing 1.), to limit which S3 buckets it has access to.

When attempting to deploy an application from AWS Serverless Repos, I receive the error in Listing 2. This error leads me to believe that the CDK deployer has tried to read some artifact out of an S3 bucket associated with deploying an application from AWS Serverless Repos.

How should I update this policy to allow my CDK deployer to access the relevant S3 bucket? I can't / don't know how to derive the relevant ARN pattern to indicate that I want to allow the CDK deployer to access the S3 buckets associated with AWS Serverless Repos.

...
        {
            "Sid": "MyPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
            ],
            "Resource": [
                "arn:aws:s3:::something-here-*/*"
                "arn:aws:s3:::something-else-*/*"
            ]
        },
...

Listing 1.

Your access has been denied by S3, please make sure your request credentials have permission to GetObject for awsserverlessrepo-changesets-1my58927y6rqa/857181079225/arn:aws:serverlessrepo:eu-central-1:482117739457:applications-cloudwatch-alarm-to-ms-teams-versions-1.1.8/465e2e1c-1c66-417d-9528-0855feae5e55.

Listing 2.

Topics
ServerlessComputeSecurity, Identity, & ComplianceAWS Cloud Development Kit (CDK)
Tags
AWS Serverless Application RepositoryIAM PoliciesAWS Cloud Development Kit (CDK)
Language
English
thestillheron
asked 2 years ago626 views
3 Answers
1

You can refer to this documentation to modify your IAM policy for using AWS Serverless Repo : https://docs.aws.amazon.com/serverlessrepo/latest/devguide/security_iam_service-with-iam.html

AWS
EXPERT
Behrang_KS
answered 2 years ago
profile pictureAWS
EXPERT
kentrad
reviewed 2 years ago
  • thestillheron
    2 years ago

    Thanks Behrang. This documentation doesn't mention any policies that would allow my deployer to access the relevant S3 bucket. Is this something I'm misunderstanding? If I were to grant my deployer the "serverlessrepo:CreateApplication" permission, would that grant it the access it needs to access the S3 bucket?

0

I am having this same problem, but the documentation does not offer any solutions on what to add for an access policy. Was your problem solved?

In my case, the error is coming from a cloudformation stack that is deploying the serverless repo. If I update the execution role of the stack to include s3:Get* on Resource: "*" then it works. I need to know how to scope this down

lkelly
answered 6 months ago
0

The bucket name in your case is awsserverlessrepo-changesets-1my58927y6rqa

profile picture
EXPERT
AndersB
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content