AwsCustomResource: automatic policy fails if API call name is different from IAM name

[caojoshua]

What is the problem?

By default, AwsCustomResource sdk calls for (get|put)BucketLifecycleConfiguration grants the executor role s3:(Get|Put)BucketLifecycleConfiguration. The correct permissions should be s3:(get|put)LifecycleConfiguration permissions (notice the lack of Bucket). I believe that the error is from this code.

Reproduction Steps

new AwsCustomResource(this, physicalId, {                                    
            policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }),
            onUpdate: {
                service: 'S3',
                action: '(get|put)BucketLifecycleConfiguration',
                parameters: {
                    ...
                },
                physicalResourceId: PhysicalResourceId.of(physicalId),
            },
});

This custom resource will get a AccessDenied response. As a workaround, we can specify a policy that explicitly gives the correct permissions (get|put)LifecycleConfiguration.

policy: AwsCustomResourcePolicy.fromStatements([
              new iam.PolicyStatement({
                sid: 'foo',
                effect: iam.Effect.ALLOW,
                actions: ['s3:(Get|Put)LifecycleConfiguration'],
                resources: ['bar'],
              }),
            ]),

What did you expect to happen?

SDK calls should work as normal.

What actually happened?

Access Denied response.

CDK CLI Version

1.145.0

Framework Version

No response

Node.js Version

v14.19.0

OS

Amazon Linux

Language

Typescript

Language Version

No response

Other information

No response

[rix0rrr]

p2 as this issue has a workaround: provide the policy statement yourself (in this case, automatically deriving the IAM policy from the calls does not work)

[rix0rrr]

The only way to fix this is to build an inventory of API calls and their deviating IAM policy names. Unlikely to be picked up by us anytime soon.