Developing software in the Real World

Circular dependencies in AWS SAM Policies

I’m trying to tighten up the policies of my AWS Lambda function so that it only has access to the one S3 bucket that it needed, so I added an S3CrudPolicy with the BucketName referencing the bucket that’s defined in the template.

The relevant part of template.yaml looks like this:

However, this creates an error:

(Who is this waiter anyway? This isn’t a restaurant!)


To solve this, instead of referencing ImageBucket in the BucketName of the S3CrudPolicy, we can put the image name in directly. This is not the ARN, just the name, so we can do:

This works because by setting the BucketName to a string, there’s no dependency on the ImagesBucket resource itself, so it all works.

Thoughts? Leave a reply

Your email address will not be published. Required fields are marked *