Skip to content

Commit 913c64b

Browse files
TwsouzaTwsouza
committed
Allow iam:GetUser to users to fix s3 resource
1 parent 96ffa7f commit 913c64b

File tree

2 files changed

+114
-117
lines changed

2 files changed

+114
-117
lines changed

provider/aws/formation/rack.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3895,7 +3895,8 @@
38953895
{ "Fn::Sub": "arn:${AWS::Partition}:iam::*:instance-profile/*" },
38963896
{ "Fn::Sub": "arn:${AWS::Partition}:iam::*:policy/*" },
38973897
{ "Fn::Sub": "arn:${AWS::Partition}:iam::*:role/*" },
3898-
{ "Fn::Sub": "arn:${AWS::Partition}:iam::*:user/convox/*" }
3898+
{ "Fn::Sub": "arn:${AWS::Partition}:iam::*:user/convox/*" },
3899+
{ "Fn::Sub": "arn:${AWS::Partition}:iam::*:user/*" }
38993900
]
39003901
},
39013902
{

provider/aws/templates/resource/s3.tmpl

Lines changed: 112 additions & 116 deletions
Original file line numberDiff line numberDiff line change
@@ -1,136 +1,132 @@
11
{{ define "resource" }}
2-
{
3-
"AWSTemplateFormatVersion" : "2010-09-09",
4-
"Conditions": {
5-
"Topic": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "Topic" }, "" ] } ] },
6-
"Versioning": { "Fn::Equals": [ { "Ref": "Versioning" }, "true" ] }
2+
{
3+
"AWSTemplateFormatVersion": "2010-09-09",
4+
"Conditions": {
5+
"Topic": { "Fn::Not": [ { "Fn::Equals": [ { "Ref": "Topic" }, "" ] } ] },
6+
"Versioning":{ "Fn::Equals": [ { "Ref": "Versioning" }, "true" ] }
7+
},
8+
9+
"Parameters": {
10+
"Topic": {
11+
"Type": "String",
12+
"Default": "",
13+
"Description": "SNS resource name for change notifications"
714
},
8-
"Parameters": {
9-
"Topic": {
10-
"Type" : "String",
11-
"Default": "",
12-
"Description" : "SNS resource name for change notifications"
13-
},
14-
"Versioning": {
15-
"Type" : "String",
16-
"Default": "false",
17-
"Description" : "Enable versioning"
18-
}
19-
},
20-
"Resources": {
21-
"Bucket": {
22-
"Type": "AWS::S3::Bucket",
23-
"Properties": {
24-
"AccessControl": "Private",
25-
"OwnershipControls": {
26-
"Rules": [
27-
{
28-
"ObjectOwnership": "BucketOwnerPreferred"
29-
}
30-
]
31-
},
32-
"BucketEncryption": {
33-
"ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms" } } ]
34-
},
35-
"BucketName": { "Ref": "AWS::StackName" },
36-
"NotificationConfiguration": {
37-
"Fn::If": [ "Topic",
38-
{
39-
"TopicConfigurations": [
40-
{
41-
"Event": "s3:ObjectCreated:*",
42-
"Topic": { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" }
43-
},
44-
{
45-
"Event": "s3:ObjectRemoved:*",
46-
"Topic": { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" }
47-
}
48-
]
49-
},
50-
{ "Ref" : "AWS::NoValue" }
51-
]
52-
},
53-
"VersioningConfiguration": { "Fn::If": [ "Versioning",
54-
{ "Status": "Enabled" },
55-
{ "Ref": "AWS::NoValue" }
56-
] },
57-
"Tags": [
15+
"Versioning": {
16+
"Type": "String",
17+
"Default": "false",
18+
"Description": "Enable versioning"
19+
}
20+
},
21+
"Resources": {
22+
"Bucket": {
23+
"Type": "AWS::S3::Bucket",
24+
"Properties": {
25+
"AccessControl": "Private",
26+
"OwnershipControls": { "Rules": [ { "ObjectOwnership": "BucketOwnerPreferred" } ] },
27+
"BucketEncryption": {
28+
"ServerSideEncryptionConfiguration": [
29+
{ "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms" } }
30+
]
31+
},
32+
"BucketName": { "Ref": "AWS::StackName" },
33+
"NotificationConfiguration": {
34+
"Fn::If": [ "Topic",
35+
{
36+
"TopicConfigurations": [
37+
{
38+
"Event": "s3:ObjectCreated:*",
39+
"Topic": { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" }
40+
},
41+
{
42+
"Event": "s3:ObjectRemoved:*",
43+
"Topic": { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" }
44+
}
45+
]
46+
},
47+
{ "Ref" : "AWS::NoValue" }
48+
]
49+
},
50+
"VersioningConfiguration": { "Fn::If": [ "Versioning",
51+
{ "Status": "Enabled" },
52+
{ "Ref": "AWS::NoValue" }
53+
] },
54+
"Tags": [
5855
{{/*
5956
HACK: Referencing TopicPolicy for a tag implicitly creates the TopicPolicy before the Bucket.
6057
This fixes a Bucket provisioning error when it can't validate permissions on the topic.
6158
This is a workaround since DependsOn must be static and will error on conditional Resources that don't exist.
6259
*/}}
63-
{ "Fn::If": ["Topic",
64-
{ "Key": "TopicPolicy", "Value": { "Ref": "TopicPolicy" } },
65-
{ "Ref": "AWS::NoValue" }
66-
]}
67-
]
68-
}
69-
},
70-
"TopicPolicy": {
71-
"Condition": "Topic",
72-
"Type": "AWS::SNS::TopicPolicy",
73-
"Properties" : {
74-
"PolicyDocument" : {
75-
"Version": "2008-10-17",
76-
"Id": "SNSTopicPolicy",
77-
"Statement": [{
78-
"Sid": "1",
79-
"Effect": "Allow",
80-
"Principal": {
81-
"AWS": "*"
82-
},
83-
"Action": [
84-
"SNS:Publish"
85-
],
86-
"Resource": { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" },
87-
"Condition": {
88-
"ArnLike": {
89-
"aws:SourceArn": { "Fn::Sub": "arn:${AWS::Partition}:s3:*:*:${AWS::StackName}" }
90-
}
60+
{ "Fn::If": [ "Topic",
61+
{ "Key": "TopicPolicy", "Value": { "Ref": "TopicPolicy" } },
62+
{ "Ref": "AWS::NoValue" }
63+
]}
64+
]
65+
}
66+
},
67+
"TopicPolicy": {
68+
"Condition": "Topic",
69+
"Type": "AWS::SNS::TopicPolicy",
70+
"Properties": {
71+
"PolicyDocument": {
72+
"Version": "2008-10-17",
73+
"Id": "SNSTopicPolicy",
74+
"Statement": [{
75+
"Sid": "AllowBucketPublish",
76+
"Effect": "Allow",
77+
"Principal": { "AWS": "*" },
78+
"Action": "SNS:Publish",
79+
"Resource": { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" },
80+
"Condition": {
81+
"ArnLike": {
82+
"aws:SourceArn": { "Fn::Sub": "arn:${AWS::Partition}:s3:*:*:${AWS::StackName}" }
9183
}
92-
}]
93-
},
94-
"Topics": [ { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" } ]
95-
}
96-
},
97-
"User": {
98-
"Type": "AWS::IAM::User",
99-
"Properties": {
100-
"Path": "/convox/",
101-
"Policies": [{
102-
"PolicyName" : "S3Access",
103-
"PolicyDocument" : {
104-
"Statement": [{
84+
}
85+
}]
86+
},
87+
"Topics": [ { "Fn::Sub": "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${Topic}" } ]
88+
}
89+
},
90+
"User": {
91+
"Type": "AWS::IAM::User",
92+
"Properties": {
93+
"Path": "/convox/",
94+
"Policies": [{
95+
"PolicyName": "S3Access",
96+
"PolicyDocument": {
97+
"Statement": [
98+
{
10599
"Effect": "Allow",
106100
"Action": "s3:ListBucket",
107101
"Resource": { "Fn::Sub": "arn:${AWS::Partition}:s3:::${AWS::StackName}" }
108-
},{
102+
},
103+
{
109104
"Effect": "Allow",
110105
"Action": "s3:*",
111106
"Resource": { "Fn::Sub": "arn:${AWS::Partition}:s3:::${AWS::StackName}/*" }
112-
}]
113-
}
114-
}]
115-
}
116-
},
117-
"AccessKey": {
118-
"Type": "AWS::IAM::AccessKey",
119-
"Properties": {
120-
"UserName": { "Ref": "User" }
121-
}
107+
}
108+
]
109+
}
110+
}]
122111
}
123112
},
124-
"Outputs": {
125-
"Bucket": {
126-
"Value": { "Ref": "Bucket" }
127-
},
128-
"AccessKey": {
129-
"Value": { "Ref": "AccessKey" }
130-
},
131-
"SecretAccessKey": {
132-
"Value": { "Fn::GetAtt": ["AccessKey", "SecretAccessKey"] }
113+
"AccessKey": {
114+
"Type": "AWS::IAM::AccessKey",
115+
"Properties": {
116+
"UserName": { "Ref": "User" }
133117
}
134118
}
119+
},
120+
"Outputs": {
121+
"Bucket": {
122+
"Value": { "Ref": "Bucket" }
123+
},
124+
"AccessKey": {
125+
"Value": { "Ref": "AccessKey" }
126+
},
127+
"SecretAccessKey": {
128+
"Value": { "Fn::GetAtt": [ "AccessKey", "SecretAccessKey" ] }
129+
}
135130
}
131+
}
136132
{{ end }}

0 commit comments

Comments
 (0)