Incorrect IAM Permissions generated when S3 Bucket Reference used

[danrivett]

Summary

I'm trying to do an S3 putObject using and S3 SDK service integration that references an S3 bucket created in the same serverless.yml file.

I tried to reference the bucket's name using Ref: bucketResource something like as follows:

Write to an S3 Bucket defined in serverless.yml:
  Type: Task
  Resource: arn:aws:states:::aws-sdk:s3:putObject
  Parameters:
    Bucket:
      Ref: myBucketReference
    Key: Foo
    Body: Bar
  End: true

But it fails to generate the correct IAM policy definition. It generates something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::[object Object]/*"
            ],
            "Effect": "Allow"
        }
    ]
}

(Notice the [object Object] instead of the resolved S3 bucket name).

Whereas it generates the correct IAM permissions when I invoke a Lambda function that references a Lambda function defined in the same `serverless.yml file.

Invoke Lambda defined in serverless.yml:
  Type: Task
  Resource:
    Fn::GetAtt: [myLambdaResource, Arn]

Possible Root Cause

From my investigation it looks like the getS3ObjectPermissions() function in compileIamRole.js (here) is too simplistic and just assumes the bucket field specified is a string literal rather than possibly being a reference.

As I mentioned above, references and other intrinsic functions such as Fn::GetAtt are supported for other resources, but it seems the IAM permissions generation for S3 resources is currently lacking this.

Possible Solution

I modified the getS3ObjectPermissions() function locally to implement a possible solution, and it seems to work for me. I have submitted PR #648 for consideration.

I am happy to modify it as needed, or have it superseded by a better solution, but it would be great to fix this.