fix: bucket permissions

storacha · Oct 1, 2024 · a98eac1 · a98eac1
1 parent 921430f
commit a98eac1
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/stacks/psa-stack.js b/stacks/psa-stack.js
@@ -3,6 +3,8 @@
  * to CAR files the complete DAGs are stored in.
  */
 import { Function } from 'sst/constructs'
+import { Bucket } from 'aws-cdk-lib/aws-s3'
+import { getBucketName } from './config.js'
 
 /** @param {import('sst/constructs').StackContext} context */
 export function PSAStack ({ stack }) {
@@ -25,22 +27,31 @@ export function PSAStack ({ stack }) {
     }
   })
 
+  const buckets = []
+  if (process.env.S3_DOTSTORAGE_0_BUCKET_ARN) {
+    buckets.push(Bucket.fromBucketArn(stack, 'dotstorage-0', process.env.S3_DOTSTORAGE_0_BUCKET_ARN))
+  }
+  if (process.env.S3_DOTSTORAGE_1_BUCKET_ARN) {
+    buckets.push(Bucket.fromBucketArn(stack, 'dotstorage-1', process.env.S3_DOTSTORAGE_1_BUCKET_ARN))
+  }
+  if (process.env.S3_PICKUP_BUCKET_ARN) {
+    buckets.push(Bucket.fromBucketArn(stack, 'pickup', process.env.S3_PICKUP_BUCKET_ARN))
+  }
+
   const hashFunction = new Function(stack, 'hash', {
     handler: 'psa/functions/hash.handler',
     url: { cors: true, authorizer: 'none' },
     memorySize: '4 GB',
-    timeout: '15 minutes'
+    timeout: '15 minutes',
+    permissions: buckets
   })
 
-  hashFunction.attachPermissions(['s3:HeadObject', 's3:GetObject'])
-
   const downloadFunction = new Function(stack, 'download', {
     handler: 'psa/functions/download.handler',
-    url: { cors: true, authorizer: 'none' }
+    url: { cors: true, authorizer: 'none' },
+    permissions: buckets
   })
 
-  downloadFunction.attachPermissions(['s3:HeadObject', 's3:GetObject'])
-
   stack.addOutputs({
     hashFunctionURL: hashFunction.url,
     downloadFunctionURL: downloadFunction.url,