remove read action from storage access rule outputs in favor of get a…

…nd list

packages/backend-output-schemas/src/storage/v1.ts

@@ -1,12 +1,6 @@
 import { z } from 'zod';
 
-const storageAccessActionEnum = z.enum([
-  'read',
-  'get',
-  'list',
-  'write',
-  'delete',
-]);
+const storageAccessActionEnum = z.enum(['get', 'list', 'write', 'delete']);
 
 const pathSchema = z.record(
   z.string(),

packages/backend-storage/src/private_types.ts

@@ -19,5 +19,5 @@ export type InternalStorageAction = Exclude<StorageAction, 'read'>;
 /**
  * Storage access types intended to be used to map storage access to storage outputs
  */
-export type StorageAccessConfig = Record<string, StorageAction[]>;
+export type StorageAccessConfig = Record<string, InternalStorageAction[]>;
 export type StorageAccessDefinitionOutput = Record<string, StorageAccessConfig>;

packages/backend-storage/src/storage_access_orchestrator.test.ts

@@ -767,10 +767,10 @@ void describe('StorageAccessOrchestrator', () => {
       );
       assert.deepStrictEqual(storageAccessDefinitionOutput, {
         'foo/bar/*': {
-          auth: ['read', 'get', 'list'],
+          auth: ['get', 'list'],
         },
         'other/baz/*': {
-          auth: ['read'],
+          auth: ['get', 'list'],
         },
       });
     });

packages/backend-storage/src/storage_access_orchestrator.ts

@@ -102,6 +102,16 @@ export class StorageAccessOrchestrator {
         // iterate over all of the access definitions for a given prefix
         const accessConfig: StorageAccessConfig = {};
         accessPermissions.forEach((permission) => {
+          // replace "read" with "get" and "list" in actions
+          const replaceReadWithGetAndList = permission.actions.flatMap(
+            (action) => (action === 'read' ? ['get', 'list'] : [action])
+          ) as InternalStorageAction[];
+
+          // ensure the actions list has no duplicates
+          const noDuplicateActions = Array.from(
+            new Set(replaceReadWithGetAndList)
+          );
+
           // iterate over all uniqueDefinitionIdValidations and ensure uniqueness within this path prefix
           permission.uniqueDefinitionIdValidations.forEach(
             ({ uniqueDefinitionId, validationErrorOptions }) => {
@@ -114,7 +124,7 @@ export class StorageAccessOrchestrator {
                 uniqueDefinitionIdSet.add(uniqueDefinitionId);
               }
 
-              accessConfig[uniqueDefinitionId] = permission.actions;
+              accessConfig[uniqueDefinitionId] = noDuplicateActions;
             }
           );
           // make the owner placeholder substitution in the s3 prefix
@@ -128,16 +138,6 @@ export class StorageAccessOrchestrator {
             ...accessConfig,
           };
 
-          // replace "read" with "get" and "list" in actions
-          const replaceReadWithGetAndList = permission.actions.flatMap(
-            (action) => (action === 'read' ? ['get', 'list'] : [action])
-          ) as InternalStorageAction[];
-
-          // ensure the actions list has no duplicates
-          const noDuplicateActions = Array.from(
-            new Set(replaceReadWithGetAndList)
-          );
-
           // set an entry that maps this permission to each resource acceptor
           permission.getResourceAccessAcceptors.forEach(
             (getResourceAccessAcceptor) => {

packages/client-config/API.md

@@ -46,7 +46,7 @@ type AmazonPinpointChannels_2 = 'IN_APP_MESSAGING' | 'FCM' | 'APNS' | 'EMAIL' |
 type AmazonPinpointChannels_3 = 'IN_APP_MESSAGING' | 'FCM' | 'APNS' | 'EMAIL' | 'SMS';
 
 // @public (undocumented)
-type AmplifyStorageAccessActions = 'read' | 'get' | 'list' | 'write' | 'delete';
+type AmplifyStorageAccessActions = 'get' | 'list' | 'write' | 'delete';
 
 // @public
 interface AmplifyStorageAccessRule {
@@ -473,7 +473,7 @@ export type CustomClientConfig = {
 export const DEFAULT_CLIENT_CONFIG_VERSION: ClientConfigVersion;
 
 // @public
-export const generateClientConfig: <T extends "0" | "1" | "1.1" | "1.2">(backendIdentifier: DeployedBackendIdentifier, version: T, awsClientProvider?: AWSClientProvider<{
+export const generateClientConfig: <T extends "1.2" | "1.1" | "1" | "0">(backendIdentifier: DeployedBackendIdentifier, version: T, awsClientProvider?: AWSClientProvider<{
     getS3Client: S3Client;
     getAmplifyClient: AmplifyClient;
     getCloudFormationClient: CloudFormationClient;

packages/client-config/src/client-config-contributor/client_config_contributor_v1.test.ts

@@ -542,7 +542,7 @@ void describe('storage client config contributor v1', () => {
         storageRegion: 'testRegion',
         paths: {
           'path/*': {
-            guest: ['read'],
+            guest: ['get'],
           },
         },
       }),
@@ -569,7 +569,7 @@ void describe('storage client config contributor v1', () => {
               aws_region: 'testRegion',
               paths: {
                 'path/*': {
-                  guest: ['read'],
+                  guest: ['get'],
                 },
               },
             },

packages/client-config/src/client-config-schema/client_config_v1.2.ts

@@ -46,12 +46,7 @@ export type AmazonPinpointChannels =
   | 'APNS'
   | 'EMAIL'
   | 'SMS';
-export type AmplifyStorageAccessActions =
-  | 'read'
-  | 'get'
-  | 'list'
-  | 'write'
-  | 'delete';
+export type AmplifyStorageAccessActions = 'get' | 'list' | 'write' | 'delete';
 
 /**
  * Config format for Amplify Gen 2 client libraries to communicate with backend services.

packages/client-config/src/client-config-schema/schema_v1.2.json

@@ -356,7 +356,7 @@
   "$defs": {
     "amplify_storage_access_actions": {
       "type": "string",
-      "enum": ["read", "get", "list", "write", "delete"]
+      "enum": ["get", "list", "write", "delete"]
     },
     "amplify_storage_access_rule": {
       "type": "object",