Allow S3 access to AWS Serverless Repo in IAM Policy

0

My IAM user that is responsible for deploying CDK templates has an IAM policy specified (Listing 1.), to limit which S3 buckets it has access to.

When attempting to deploy an application from AWS Serverless Repos, I receive the error in Listing 2. This error leads me to believe that the CDK deployer has tried to read some artifact out of an S3 bucket associated with deploying an application from AWS Serverless Repos.

How should I update this policy to allow my CDK deployer to access the relevant S3 bucket? I can't / don't know how to derive the relevant ARN pattern to indicate that I want to allow the CDK deployer to access the S3 buckets associated with AWS Serverless Repos.

...
        {
            "Sid": "MyPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
            ],
            "Resource": [
                "arn:aws:s3:::something-here-*/*"
                "arn:aws:s3:::something-else-*/*"
            ]
        },
...

Listing 1.

Your access has been denied by S3, please make sure your request credentials have permission to GetObject for awsserverlessrepo-changesets-1my58927y6rqa/857181079225/arn:aws:serverlessrepo:eu-central-1:482117739457:applications-cloudwatch-alarm-to-ms-teams-versions-1.1.8/465e2e1c-1c66-417d-9528-0855feae5e55.

Listing 2.

1 回答
1

You can refer to this documentation to modify your IAM policy for using AWS Serverless Repo : https://docs.aws.amazon.com/serverlessrepo/latest/devguide/security_iam_service-with-iam.html

AWS
专家
已回答 1 年前
profile pictureAWS
专家
kentrad
已审核 1 年前
  • Thanks Behrang. This documentation doesn't mention any policies that would allow my deployer to access the relevant S3 bucket. Is this something I'm misunderstanding? If I were to grant my deployer the "serverlessrepo:CreateApplication" permission, would that grant it the access it needs to access the S3 bucket?

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则