Creating a custom S3 bucket policy with Serverless Framework
A while back I developed an app for my job that took files uploaded to S3 and uploaded them to an SFTP host. Recently I was asked if we could re-use that app for a service hosted in a different account. After looking at the code, I determined that this was possible, provided we granted access to those accounts. Here’s how I added the custom BucketPolicy. Note that I’ve removed a lot of stuff unrelated to the bucket and BucketPolicy.
service:
name: myServicecustom:
s3:
bucket: myBucketplugins:provider:
name: aws
frameworkVersion: '1.70.0'
runtime: nodejs12.x
region: ${opt:region, 'us-east-1'}
iamRoleStatements:
- Effect: Allow
Action:
- s3:GetObject
- s3:DeleteObject
Resource:
# Specify bucket ARN this way to avoid a "Circular dependency between resources" error
- Fn::Join:
- '/'
- 'arn:aws:s3::'
- Fn::Join:
- '/'
- - ${self:custom.s3.bucket}
- '*'
- Effect: Allow
Action:
- s3:ListObjects
Resource:
# Specify bucket ARN this way to avoid a "Circular dependency between resources" error
- Fn::Join:
- ':'
- - 'arn:aws:s3::'
- ${self:custom.s3.bucket}
# see https://www.serverless.com/framework/docs/providers/aws/events/s3#custom-bucket-configuration
s3:
theBucket:
name: ${self:custom.s3.bucket}functions:
s3ToSftp:
timeout: 300
memorySize: 1024
handler: src/handler.main
events:
- s3:
bucket: theBucketresources:
Resources:
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3BucketTheBucket
PolicyDocument:
Statement:
- Action:
- s3:ListBucket
- s3:GetObjectVersion
- s3:GetObject
- s3:GetBucketVersioning
- s3:GetBucketLocation
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
- s3:GetObjectACL
- s3:PutObjectACL
Resource:
- arn:aws:s3:::${self:custom.s3.bucket}/*
- arn:aws:s3:::${self:custom.s3.bucket}
Effect: Allow
Principal:
AWS:
- arn:aws:iam::123456789012:root
- arn:aws:iam::123456789013:root
- Fn::Join
- ':'
- - 'arn:aws:iam:'
- !Ref 'AWS::AccountId'
- 'root'
One thing to note: the version of the Serverless Framework (see provider.frameworkVersion
) is way out of date. This is because the app was developed a year ago. serverless.yml
might need some updates to be current.
You may also notice that while we have called our S3 bucket theBucket
under provider.s3
, we refer to it as S3BucketTheBucket
inBucketPolicy
. This is because Serverless is going to PascalCase all of the resources it creates (as opposed to those explicitly specified in the Resources section, e.g. BucketPolicy
).
So what have we done here? We have granted read and create access to our S3 bucket to AWS accounts 123456789012 and 123456789013, as well as the AWS account that this stack (because ultimately, Serverless produces a CloudFormation stack) is deployed in.
I hope you find this helpful. If so, maybe put a tip in the jar?: https://ko-fi.com/popefelix. If you have any questions, please leave them in the comments below.