How to Add iamRoleStatements to S3 Trigger Bucket

aws

#1

When I am adding the following code in serverless.yml file

provider:
  name: aws
  runtime: python3.6
  stage: dev
  region: [REGION]
  iamRoleStatements:
    - Effect: "Allow"
      Action:
       - "s3:GetObject"
      Resource: { "Fn::Join": ["", ["arn:aws:s3:::", { "Ref": [BUCKET NAME] }, "/*" ] ] }

On deployment, I am getting “The CloudFormation template is invalid: Circular dependency between resources:”

I am using boto3 with python3 to get the private file that is uploaded to the S3 bucket after the trigger event so like to give the permission to Lambda function for that bucket.


#2

@himadri: Could you add a little more information on this? In particular, it’d be helpful to have:

  1. The version of serverless you’re running (sls version);
  2. The full serverless.yml, or at least as much as you can show. Having the resources section in particular will be helpful.

#3

Sory my mistake. SLS version 1.21.1. And here is the full version of my serverless.yml file.

service: [SERVICE NAME]

frameworkVersion: ">=1.21.1"

provider:
  name: aws
  runtime: python3.6
  stage: dev
  region: [REGION]
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:GetObject"
      Resource: { "Fn::Join": ["", ["arn:aws:s3:::", { "Ref": "[S3BucketBUCKET_NAME]" }, "/*" ] ] }
    - Effect: "Allow"
      Action:
        - "s3:ListBucket"
      Resource: { "Fn::Join": ["", ["arn:aws:s3:::", { "Ref": "[S3BucketANOTHER_BUCKET_NAME]" } ] ] }
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
      Resource: { "Fn::Join": ["", ["arn:aws:s3:::", { "Ref": "[S3BucketANOTHER_BUCKET_NAME]" }, "/*" ] ] }
    - Effect: "Allow"
      Action:
        - "s3:ListBucket"
      Resource: { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "ServerlessDeploymentBucket" } ] ]  }
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
      Resource:
        Fn::Join:
          - ""
          - - "arn:aws:s3:::"
            - "Ref" : "ServerlessDeploymentBucket"
            - "/*"

functions:
  [FUNCTION NAME]:
    handler: handler.[HANDLER_NAME]
    events:
      - s3:
          bucket: [BUCKET_NAME]
          event: s3:ObjectCreated:*
          rules:
            - suffix: [SUFFIX]
  [ANOTHER FUNCTION NAME]:
    handler: handler.[HANDLER_NAME]
    events:
      - s3:
          bucket: [BUCKET_NAME]
          event: s3:ObjectCreated:*
          rules:
            - suffix: [SUFFIX]

package:
  exclude:
    - node_modules/**
    - venv/**
    - .requirements/**
    - package.json
    - requirements.txt
    - .requirements.zip

resources:
  Resources:
    S3BucketBUCKET_NAME:
      Type: AWS::S3::Bucket
      Properties:
        CorsConfiguration:
          CorsRules:
            - AllowedHeaders:
                - "*"
              AllowedMethods:
                - GET
                - POST
                - PUT
              AllowedOrigins:
                - "*"
    S3BucketANOTHER_BUCKET_NAME:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: [ANOTHER_BUCKET_NAME]

plugins:
  - serverless-python-requirements

custom:
  pythonRequirements:
    zip: true

#4

Have you seen the serverless.yml file?