https://serverless-stack.com/ logo
Join Slack
Powered by
Does the name (i.e. type=string) option in <https:...
# help
t
Does the name (i.e. type=string) option in https://docs.serverless-stack.com/util/Permissions#permission just give wildcard permissions to that resource (e.g. 
s3
=== 
s3:*
)? And if so, to add more granular permissions per action, I need to add a full policy statement - is this correct?
f
Hi @Tom Hoad, that’s correct. You can also pass in an 
s3.Bucket
construct, this will grant 
s3:*
to the bucket’s ARN.
Copy code
attachPermissions([s3]);
Or, pass in a grant function (ie. https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-dynamodb.Table.html#grantwbrreadwbrdatagrantee)
Copy code
attachPermissions([ [s3, "grantReadData"] ]);
This page lists the different ways https://docs.serverless-stack.com/util/Permissions
t
Awesome, busy migrating my (toy) app from the original SST to the new SST, I like how some of the complexity/verbosity is now rolled into the framework (e.g. the role stuff for Cognito)
f
Nice! Yup dealing with IAM stuff sucks.
t
And as there is no built-in S3 SST construct (yet?) I can just use the CDK construct directly?
Hmm, I'm instantiating a new bucket using the S3 construct:
Copy code
const bucket = new s3.Bucket(this, "Uploads", { ...
Then attempting to attach permissions for 
bucket
to the roles:
Copy code
auth.attachPermissionsForAuthUsers([api, [bucket, "grantReadWriteData"]]);
auth.attachPermissionsForUnauthUsers([[bucket, "grantReadData"]]);
But I get an error on deployment:
Copy code
TypeError: construct[methodName] is not a function
Doh, wrong grant function!
f
Yup, passing in a CDK S3 construct should work.
3 Views
Open in Slack
PreviousNext
Powered by