fix: ingestor role to have s3 access (#387)

NASA-IMPACT · Jun 6, 2024 · 8863d92 · 8863d92
1 parent 151edec
commit 8863d92
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/ingest_api/infrastructure/config.py b/ingest_api/infrastructure/config.py
@@ -1,5 +1,5 @@
 from getpass import getuser
-from typing import Optional
+from typing import List, Optional
 
 import aws_cdk
 from pydantic import AnyHttpUrl, BaseSettings, Field, constr
@@ -8,6 +8,15 @@
 
 
 class IngestorConfig(BaseSettings):
+    # S3 bucket names where TiTiler could do HEAD and GET Requests
+    # specific private and public buckets MUST be added if you want to use s3:// urls
+    # You can whitelist all bucket by setting `*`.
+    # ref: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-arn-format.html
+    buckets: List = ["*"]
+
+    # S3 key pattern to limit the access to specific items (e.g: "my_data/*.tif")
+    key: str = "*"
+
     stage: str = Field(
         description=" ".join(
             [

diff --git a/ingest_api/infrastructure/construct.py b/ingest_api/infrastructure/construct.py
@@ -81,6 +81,14 @@ def __init__(
 
         # create lambda
         self.api_lambda = self.build_api_lambda(**build_api_lambda_params)
+        self.api_lambda.add_to_role_policy(
+            iam.PolicyStatement(
+                actions=["s3:GetObject"],
+                resources=[
+                    f"arn:aws:s3:::{bucket}/{config.key}" for bucket in config.buckets
+                ],
+            )
+        )
 
         # create API
         self.api: aws_apigatewayv2_alpha.HttpApi = self.build_api(