I am using CDK's AwsCustomResource to create an S3 object. I fail to understand AwsCustomResource.policy. The docs say:
policy (mandatory): The policy to apply to the resource.
and about role:
role (optional): The execution role for the Lambda function implementing this custom resource provider.
When I set a role, and I check the lambda of the custom resource, then I see that it got the permissions from the role, just like the docs say.
I found out that when I set the policy (values just for testing), e.g like so:
policy = AwsCustomResourcePolicy.from_statements(statements=[PolicyStatement(actions=["s3:ReplicateTags"], resources=["*"])])
Then I also get this on the lambda permissions. This wasn't how I read the docs, I expected the policy to be used to set a policy to the resource I created, the s3 object. but what would that mean? I created the object in a pre-existing bucket, with an existing policy on the bucket. do s3 objects have their policy?
do s3 objects have their policy?
No, they do not. Only buckets have policies.
I expected the policy to be used to set a policy to the resource I created, the s3 object.
This would be difficult as many resources do not have a resource-based policies. Such as S3 objects.
AwsCustomResourcePolicy adds policies to the execution role of lambda function, not the resource created by the custom resource. Note that custom resources do not need to create any resources anyway.