amplify-backend icon indicating copy to clipboard operation
amplify-backend copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Add support for GetObjectVersion of generated AWS IAM role permissions on AWS S3 bucket

Open sbelbin opened this issue 7 months ago • 1 comments

Environment information

System:
  OS: macOS 15.3.2
  CPU: (11) arm64 Apple M3 Pro
  Memory: 509.34 MB / 18.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 23.7.0 - /opt/homebrew/bin/node
  Yarn: undefined - undefined
  npm: 11.1.0 - /opt/homebrew/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.6.0
  @aws-amplify/backend: 1.14.1
  @aws-amplify/backend-ai: Not Found
  @aws-amplify/backend-auth: 1.5.0
  @aws-amplify/backend-cli: 1.4.11
  @aws-amplify/backend-data: 1.4.0
  @aws-amplify/backend-deployer: 1.1.18
  @aws-amplify/backend-function: 1.12.2
  @aws-amplify/backend-output-schemas: 1.4.0
  @aws-amplify/backend-output-storage: 1.1.4
  @aws-amplify/backend-secret: 1.1.6
  @aws-amplify/backend-storage: 1.2.4
  @aws-amplify/cli-core: 1.3.0
  @aws-amplify/client-config: 1.5.7
  @aws-amplify/data-construct: 1.14.5
  @aws-amplify/data-schema: 1.17.2
  @aws-amplify/deployed-backend-client: 1.5.1
  @aws-amplify/form-generator: 1.0.4
  @aws-amplify/model-generator: 1.0.12
  @aws-amplify/platform-core: 1.6.3
  @aws-amplify/plugin-types: 1.8.0
  @aws-amplify/sandbox: 1.2.11
  @aws-amplify/schema-generator: 1.2.7
  aws-amplify: 6.13.4
  aws-cdk: 2.1003.0
  aws-cdk-lib: 2.182.0
  typescript: 5.8.2
No AWS environment variables
No CDK environment variables

Describe the feature

The application that uses this AWS Amplify Gen 2 backend infrastructure makes use of the AWS S3 API such as GetObjectVersion in order to fetch a specific version of an AWS S3 object that is stored in an AWS S3 bucket.

This is part of a security & recovery compliances in which the AWS S3 buckets the versioning feature is enabled, it's also used by the application as to better ensure consistency to select the version at a given point-in-time.

Each time AWS Amplify Gen 2 has deployed the backend resources we have a step to edit the corresponding AWS IAM roles of authorized users in order to add permission for the s3:GetObjectVersion action.

This feature request is that when the 'read' permission is defined in the storage resource description (i.e. amplify/storage/resource.ts) to account for s3:GetObjectVersion action.

Additionally, considering extending to support 'delete' as to support s3:DeleteObjectVersion action.

Use case

The given storage resource description (i.e. amplify/storage/resource.ts)

` import { defineStorage } from '@aws-amplify/backend';

export const storage = defineStorage({ name: 'neuroservo-horizon', access: (allow) => ({ 'folder/*': [ allow.authenticated.to(['read', 'write', 'delete']) ] }) }); `

The generated AWS IAM role for authorized users should adapt the action of s3:GetObject to be s3:GetObject* or to explicitly provide a entry for the s3:GetObjectVersion action.

` { "Version": "2012-10-17", "Statement": [ { "Action": "s3:GetObject*", "Resource": "arn:aws:s3:::amplify-d2zdmmwwl4xuox-de-neuroservohorizonbucket0-ylbwkptfg1ki/recordings/*", "Effect": "Allow" },

.... } `

sbelbin avatar Apr 21 '25 14:04 sbelbin