My IAM user that is responsible for deploying CDK templates has an IAM policy specified (Listing 1.), to limit which S3 buckets it has access to.
When attempting to deploy an application from AWS Serverless Repos, I receive the error in Listing 2. This error leads me to believe that the CDK deployer has tried to read some artifact out of an S3 bucket associated with deploying an application from AWS Serverless Repos.
How should I update this policy to allow my CDK deployer to access the relevant S3 bucket? I can't / don't know how to derive the relevant ARN pattern to indicate that I want to allow the CDK deployer to access the S3 buckets associated with AWS Serverless Repos.
...
{
"Sid": "MyPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
],
"Resource": [
"arn:aws:s3:::something-here-*/*"
"arn:aws:s3:::something-else-*/*"
]
},
...
Listing 1.
Your access has been denied by S3, please make sure your request credentials have permission to GetObject for awsserverlessrepo-changesets-1my58927y6rqa/857181079225/arn:aws:serverlessrepo:eu-central-1:482117739457:applications-cloudwatch-alarm-to-ms-teams-versions-1.1.8/465e2e1c-1c66-417d-9528-0855feae5e55.
Listing 2.
Thanks Behrang. This documentation doesn't mention any policies that would allow my deployer to access the relevant S3 bucket. Is this something I'm misunderstanding? If I were to grant my deployer the "serverlessrepo:CreateApplication" permission, would that grant it the access it needs to access the S3 bucket?