From a08bee9473e2875ef6968c533143bcd04ed180e8 Mon Sep 17 00:00:00 2001
From: emileten <e.tenezakis@gmail.com>
Date: Wed, 5 Jul 2023 16:15:46 +0900
Subject: [PATCH] add comments regarding the need for the trust relationship to
 be manually established if the data access role is injected, and if not
 injected move the creation of the trust relationship policy to after the stac
 ingestor creation to be able to use the exact arn

---
 cdk_eoapi/pgStacInfra.py | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/cdk_eoapi/pgStacInfra.py b/cdk_eoapi/pgStacInfra.py
index 0854e53..0dd3920 100644
--- a/cdk_eoapi/pgStacInfra.py
+++ b/cdk_eoapi/pgStacInfra.py
@@ -99,6 +99,8 @@ def __init__(
         )
 
         if data_access_role_arn:
+            # importing provided role from arn. 
+            # the stac ingestor will try to assume it when called, so it must be listed in the data access role trust policy.
             data_access_role = aws_iam.Role.from_role_arn(
                 self,
                 "data-access-role",
@@ -106,9 +108,6 @@ def __init__(
             )
         else:
             data_access_role = self._create_data_access_role()
-            data_access_role = self._grant_assume_role_with_principal_pattern(
-                data_access_role, f"*{self.stack_name}*ingestor*"
-            )  # beware, there is a limit in the number of characters a role can have (64) and AWS automatically truncates the role ARN if it's too long.
 
         stac_ingestor_env = {"REQUESTER_PAYS": "True"}
 
@@ -129,25 +128,38 @@ def __init__(
             ),
             api_env=stac_ingestor_env,
         )
+        
+        # we can only do that if the role is created here. If injecting a role, that role's trust relationship must be already set up, or set up after this deployment.
+        if not data_access_role_arn:
+            data_access_role = self._grant_assume_role_with_principal_pattern(data_access_role, stac_ingestor.handler_role.role_name)
 
     def _create_data_access_role(self) -> aws_iam.Role:
+        
         """
-        Creates basic data access role
+        Creates an IAM role with full S3 read access.
         """
 
-        return aws_iam.Role(
+        data_access_role = aws_iam.Role(
             self,
             "data-access-role",
             assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
         )
+        
+        data_access_role.add_to_policy(aws_iam.PolicyStatement(
+            actions=[
+                "s3:Get*",
+            ],
+            resources=["*"],
+            effect=aws_iam.Effect.ALLOW,
+        ))
+        return data_access_role
 
     def _grant_assume_role_with_principal_pattern(
-        self, role_to_assume: aws_iam.Role, principal_pattern: str
+        self, role_to_assume: aws_iam.Role, principal_pattern: str, account_id: str = boto3.client("sts").get_caller_identity().get("Account")
     ) -> aws_iam.Role:
         """
-        Grants assume role permissions to the role with the given pattern in the current account
+        Grants assume role permissions to the role of the given account with the given name pattern. Default account is the current account. 
         """
-        account_id = boto3.client("sts").get_caller_identity().get("Account")
 
         role_to_assume.assume_role_policy.add_statements(
             aws_iam.PolicyStatement(