Should buckets created by event specification have Read permissions?

Hey there,

I have set up basic S3 events as per the example:

    handler: users.handler
      - s3:
          bucket: photos
          event: s3:ObjectCreated:*

Events work but is it assumed that the Lambda role should also have List/Get permissions to this bucket?

At the moment I have to manually attach a custom policy to the role to allow the function to download objects from this bucket.

When I tried adding the required bucket policy to the Resources section of serverless.yml I get a Circular Reference error from CF, e.g.

The CloudFormation template is invalid: Circular dependency between resources…

Is there a way to add these permissions without having to manually attach the policy?

When you say “manually” are you going into the console after deploying and making the adjustment there?

You could give the function the relevant permissions by setting the iamRoleStatements inside your serverless.yml.