I am using Serverless Framework and I get access denied errors when I try to access Signed URLs on private-bucket for GET and PUT for below config. However, when I grant * for Resource under iam.role.statements[0].Resource (instead of explicitly referencing private-bucket), it works perfectly fine. What am I doing wrong and what is the best way to make this work without having to give permissions on '*' and just private-bucket instead?

provider:
  name: aws
  runtime: nodejs12.x
  lambdaHashingVersion: '20201221'
  iam:
    role:
      statements:
        - Effect: 'Allow'
          Action:
            - 's3:GetObject'
            - 's3:PutObject'
          Resource:
            - Fn::GetAtt:
                - PrivateBucket
                - Arn

resources:
  Resources:
    PrivateBucket:
      Type: AWS::S3::Bucket
      DeletionPolicy: Retain
      Properties:
        BucketName: private-bucket
        OwnershipControls:
          Rules:
            - ObjectOwnership: BucketOwnerEnforced
        PublicAccessBlockConfiguration:
          BlockPublicAcls: true
          BlockPublicPolicy: true
          IgnorePublicAcls: true
          RestrictPublicBuckets: true
        CorsConfiguration:
          CorsRules:
            - AllowedHeaders:
                - '*'
              AllowedMethods:
                - GET
                - PUT
              AllowedOrigins:
                - '*'

CodePudding user response：

You need to allow the bucket and resources.

Try to add the resources permission on the following way:

Resource:
  - !Sub arn:aws:s3:::${MyS3Bucket}
  - !Sub arn:aws:s3:::${MyS3Bucket}/*