diff --git a/controlpanel/api/aws.py b/controlpanel/api/aws.py index 204a993dd..f610ce94f 100644 --- a/controlpanel/api/aws.py +++ b/controlpanel/api/aws.py @@ -106,19 +106,16 @@ def iam_arn(resource, account=settings.AWS_ACCOUNT_ID): 's3:ListBucket', ], 'Effect': 'Allow', - 'Resource': [], }, 'readonly': { 'Sid': 'readonly', 'Action': READ_ACTIONS, 'Effect': 'Allow', - 'Resource': [], }, 'readwrite': { 'Sid': 'readwrite', 'Action': READ_ACTIONS + WRITE_ACTIONS, 'Effect': 'Allow', - 'Resource': [], }, } diff --git a/tests/api/test_aws.py b/tests/api/test_aws.py index 1efb46a13..61c005727 100644 --- a/tests/api/test_aws.py +++ b/tests/api/test_aws.py @@ -308,6 +308,14 @@ def test_grant_bucket_access(iam, users, resources): else: assert bucket_arn in statements['list']['Resource'] + aws.grant_bucket_access(user.iam_role_name, f'{bucket_arn}-2', 'readonly') + policy.reload() + statements = get_statements_by_sid(policy.policy_document) + expected_num_resources = 2 + if path_arns: + expected_num_resources = len(path_arns) + 1 + assert len(statements['readonly']['Resource']) == expected_num_resources + @pytest.mark.parametrize( 'resources',