Hello,
I would like to create a s3 bucket policy and attach a function to that, so that users are only able to add specific file types and the function is able to action on these files - so my function should have a GetObject
and my users should be able to do PutObject
What is the correct way to set this up in my serverless.yml?
this is what i have so far:
service: filetype
provider:
name: aws
runtime: go1.x
iamRoleStatements:
- Effect: Allow
Action:
- "s3:getObject"
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
-
Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
- "/*"
stage: ${opt:stage}
region: ${file(./config.yml):${opt:stage}.REGION}
environment:
AIPS_UPLOADS_BUCKET: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
package:
exclude:
- ./**
include:
- ./filetype
functions:
aips:
handler: filetype
memorySize: 128
events:
- s3:
bucket: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
event: s3:ObjectCreated:*
timeout: 40
environment:
HOST: ${file(./config.yml):${opt:stage}.HOST}
USER: ${file(./config.yml):${opt:stage}.USER}
PASS: ${file(./config.yml):${opt:stage}.PASS}
FOLDER: ${file(./config.yml):${opt:stage}.FOLDER}
SampleBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
PolicyDocument:
Statement:
-
Action:
- "s3:putObject"
Effect: "Deny"
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
-
Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
- "/*"
Principal: "*"
Condition:
NotResource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
-
Ref: ${file(./config.yml):${opt:stage}.AIPS_UPLOADS_BUCKET}
- "/*.pdf"
but the bucket policies are not updated when i deploy my function.
what am i missing