fix: permission changed

aws · May 28, 2024 · 1e2ae69 · 1e2ae69
1 parent 4e9322a
commit 1e2ae69
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 46 deletions.
diff --git a/...nfig/test/integ.environment-grant.js.snapshot/aws-appconfig-environment-grant.assets.json b/...nfig/test/integ.environment-grant.js.snapshot/aws-appconfig-environment-grant.assets.json
diff --git a/...ig/test/integ.environment-grant.js.snapshot/aws-appconfig-environment-grant.template.json b/...ig/test/integ.environment-grant.js.snapshot/aws-appconfig-environment-grant.template.json
@@ -53,7 +53,7 @@
           {
            "Ref": "MyEnvironment465E4DEA"
           },
-          "/*"
+          "/configuration/*"
          ]
         ]
        }

diff --git a/...framework-integ/test/aws-appconfig/test/integ.environment-grant.js.snapshot/manifest.json b/...framework-integ/test/aws-appconfig/test/integ.environment-grant.js.snapshot/manifest.json
diff --git a/...ing/framework-integ/test/aws-appconfig/test/integ.environment-grant.js.snapshot/tree.json b/...ing/framework-integ/test/aws-appconfig/test/integ.environment-grant.js.snapshot/tree.json
diff --git a/packages/aws-cdk-lib/aws-appconfig/README.md b/packages/aws-cdk-lib/aws-appconfig/README.md
@@ -82,7 +82,8 @@ See [About the AWS AppConfig data plane service](https://docs.aws.amazon.com/app
 
 ### Permissions
 
-You can grant permissions to read a configuration to an Environment with the grantReadConfig method as follows:
+You can grant read permission on the environment's configurations with the grantReadConfig method as follows:
+
 ```ts
 import * as iam from 'aws-cdk-lib/aws-iam';
 
@@ -92,7 +93,7 @@ const env = new appconfig.Environment(this, 'MyEnvironment', {
 });
 
 const user = new iam.User(this, 'MyUser');
-env.grantReadConfig(user); // Grant read permission on the environment to the user
+env.grantReadConfig(user);
 ```
 
 

diff --git a/packages/aws-cdk-lib/aws-appconfig/lib/environment.ts b/packages/aws-cdk-lib/aws-appconfig/lib/environment.ts
@@ -121,17 +121,20 @@ abstract class EnvironmentBase extends Resource implements IEnvironment, IExtens
     return iam.Grant.addToPrincipal({
       grantee,
       actions,
-      resourceArns: [`${this.environmentArn}/*`],
+      resourceArns: [this.environmentArn],
     });
   }
 
-  public grantReadConfig(grantee: iam.IGrantable) {
-    return this.grant(grantee,
-      'appconfig:GetLatestConfiguration',
-      'appconfig:StartConfigurationSession',
-    );
+  public grantReadConfig(identity: iam.IGrantable): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee: identity,
+      actions: [
+        'appconfig:GetLatestConfiguration',
+        'appconfig:StartConfigurationSession',
+      ],
+      resourceArns: [`${this.environmentArn}/configuration/*`],
+    });
   }
-
 }
 
 /**
@@ -569,7 +572,7 @@ export interface IEnvironment extends IResource {
   grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
 
   /**
-   * Permits an IAM principal to perform read operations on this environment's configuration.
+   * Permits an IAM principal to perform read operations on this environment's configurations.
    *
    * Actions: GetLatestConfiguration, StartConfigurationSession.
    *

diff --git a/packages/aws-cdk-lib/aws-appconfig/test/environment.test.ts b/packages/aws-cdk-lib/aws-appconfig/test/environment.test.ts
@@ -861,7 +861,7 @@ describe('environment', () => {
                 { Ref: 'MyAppConfigB4B63E75' },
                 '/environment/',
                 { Ref: 'MyEnvironment465E4DEA' },
-                '/*',
+                '/configuration/*',
               ]],
             },
           },