add comments regarding the need for the trust relationship to be manu…

…ally established if the data access role is injected, and if not injected move the creation of the trust relationship policy to after the stac ingestor creation to be able to use the exact arn
developmentseed · Jul 5, 2023 · a08bee9 · a08bee9
1 parent ef7a2f3
commit a08bee9
Showing 1 changed file with 20 additions and 8 deletions.
diff --git a/cdk_eoapi/pgStacInfra.py b/cdk_eoapi/pgStacInfra.py
@@ -99,16 +99,15 @@ def __init__(
         )
 
         if data_access_role_arn:
+            # importing provided role from arn. 
+            # the stac ingestor will try to assume it when called, so it must be listed in the data access role trust policy.
             data_access_role = aws_iam.Role.from_role_arn(
                 self,
                 "data-access-role",
                 role_arn=data_access_role_arn,
             )
         else:
             data_access_role = self._create_data_access_role()
-            data_access_role = self._grant_assume_role_with_principal_pattern(
-                data_access_role, f"*{self.stack_name}*ingestor*"
-            )  # beware, there is a limit in the number of characters a role can have (64) and AWS automatically truncates the role ARN if it's too long.
 
         stac_ingestor_env = {"REQUESTER_PAYS": "True"}
 
@@ -129,25 +128,38 @@ def __init__(
             ),
             api_env=stac_ingestor_env,
         )
+
+        # we can only do that if the role is created here. If injecting a role, that role's trust relationship must be already set up, or set up after this deployment.
+        if not data_access_role_arn:
+            data_access_role = self._grant_assume_role_with_principal_pattern(data_access_role, stac_ingestor.handler_role.role_name)
 
     def _create_data_access_role(self) -> aws_iam.Role:
+
         """
-        Creates basic data access role
+        Creates an IAM role with full S3 read access.
         """
 
-        return aws_iam.Role(
+        data_access_role = aws_iam.Role(
             self,
             "data-access-role",
             assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
         )
+
+        data_access_role.add_to_policy(aws_iam.PolicyStatement(
+            actions=[
+                "s3:Get*",
+            ],
+            resources=["*"],
+            effect=aws_iam.Effect.ALLOW,
+        ))
+        return data_access_role
 
     def _grant_assume_role_with_principal_pattern(
-        self, role_to_assume: aws_iam.Role, principal_pattern: str
+        self, role_to_assume: aws_iam.Role, principal_pattern: str, account_id: str = boto3.client("sts").get_caller_identity().get("Account")
     ) -> aws_iam.Role:
         """
-        Grants assume role permissions to the role with the given pattern in the current account
+        Grants assume role permissions to the role of the given account with the given name pattern. Default account is the current account. 
         """
-        account_id = boto3.client("sts").get_caller_identity().get("Account")
 
         role_to_assume.assume_role_policy.add_statements(
             aws_iam.PolicyStatement(