FullStackWithLawrence · lpm0073 · Dec 22, 2023 · Dec 22, 2023 · Dec 22, 2023
diff --git a/terraform/json/iam_policy_lambda.json.tpl b/terraform/json/iam_policy_lambda.json.tpl
@@ -6,12 +6,7 @@
       "Action": [
         "logs:CreateLogGroup",
         "logs:CreateLogStream",
-        "logs:PutLogEvents",
-        "rekognition:DescribeCollection",
-        "rekognition:IndexFaces",
-        "dynamodb:PutItem",
-        "s3:GetObject",
-        "s3:ListBucket"
+        "logs:PutLogEvents"
       ],
       "Resource": "arn:aws:logs:*:*:*"
     },
@@ -32,6 +27,8 @@
         "Action": [
           "apigateway:GET",
           "iam:ListPolicies",
+          "iam:GetPolicy",
+          "iam:GetPolicyVersion",
           "s3:ListAllMyBuckets",
           "rekognition:IndexFaces",
           "rekognition:DescribeCollection",

diff --git a/terraform/python/rekognition_api/__version__.py b/terraform/python/rekognition_api/__version__.py
@@ -1,3 +1,2 @@
-# -*- coding: utf-8 -*-
 # Managed via automated CI/CD in .github/workflows/semanticVersionBump.yml.
-__version__ = "0.2.7-next.1"
+__version__ = "0.2.8-next.1"
diff --git a/terraform/python/rekognition_api/aws.py b/terraform/python/rekognition_api/aws.py
@@ -60,19 +60,24 @@ def get_iam_policies(self):
         """Return a dict of the AWS IAM policies."""
         iam_client = settings.aws_session.client("iam")
         policies = iam_client.list_policies()["Policies"]
-        rekognition_policies = {
-            policy["PolicyName"]: policy["Arn"]
-            for policy in policies
-            if settings.shared_resource_identifier in policy["PolicyName"]
-        }
-        return rekognition_policies or {}
+        rekognition_policies = {}
+        for policy in policies:
+            if settings.shared_resource_identifier in policy["PolicyName"]:
+                policy_version = iam_client.get_policy(PolicyArn=policy["Arn"])["Policy"]["DefaultVersionId"]
+                policy_document = iam_client.get_policy_version(PolicyArn=policy["Arn"], VersionId=policy_version)[
+                    "PolicyVersion"
+                ]["Document"]
+                rekognition_policies[policy["PolicyName"]] = {"Arn": policy["Arn"], "Policy": policy_document}
+        return rekognition_policies
 
     def get_iam_roles(self):
         """Return a dict of the AWS IAM roles."""
         iam_client = settings.aws_session.client("iam")
         roles = iam_client.list_roles()["Roles"]
         rekognition_roles = {
-            role["RoleName"]: role["Arn"] for role in roles if settings.shared_resource_identifier in role["RoleName"]
+            role["RoleName"]: {"Arn": role["Arn"], "Role": role}
+            for role in roles
+            if settings.shared_resource_identifier in role["RoleName"]
         }
         return rekognition_roles or {}
 
@@ -109,7 +114,7 @@ def aws_connection_works(self):
         """Test that the AWS connection works."""
         try:
             # Try a benign operation
-            settings.aws_s3_client.list_buckets()
+            settings.aws_s3_client.buckets.all()
             return True
         except Exception:  # pylint: disable=broad-exception-caught
             return False
@@ -124,9 +129,9 @@ def domain_exists(self) -> bool:
 
     def get_bucket_by_prefix(self, bucket_prefix) -> str:
         """Return the bucket name given the bucket prefix."""
-        for bucket in settings.aws_s3_client.list_buckets()["Buckets"]:
-            if bucket["Name"].startswith(bucket_prefix):
-                return f"arn:aws:s3:::{bucket['Name']}"
+        for bucket in settings.aws_s3_client.buckets.all():
+            if bucket.name.startswith(bucket_prefix):
+                return f"arn:aws:s3:::{bucket.name}"
         return None
 
     def bucket_exists(self, bucket_prefix) -> bool:

diff --git a/terraform/python/rekognition_api/conf.py b/terraform/python/rekognition_api/conf.py
@@ -345,7 +345,7 @@ def aws_apigateway_client(self):
     def aws_s3_client(self):
         """S3 client"""
         if not self._aws_s3_client:
-            self._aws_s3_client = self.aws_session.client("s3")
+            self._aws_s3_client = self.aws_session.resource("s3")
         return self._aws_s3_client
 
     @property

diff --git a/terraform/python/rekognition_api/lambda_index.py b/terraform/python/rekognition_api/lambda_index.py
@@ -118,7 +118,7 @@ def unpack_s3_object(event, record):
     """extracts the s3 object key, object, and object metadata from the event record"""
     s3_bucket_name = get_bucket_name(event)
     s3_object_key = unquote_plus(record["s3"]["object"]["key"], encoding="utf-8")
-    s3_object = settings.s3_client.Object(s3_bucket_name, s3_object_key)
+    s3_object = settings.aws_s3_client.Object(s3_bucket_name, s3_object_key)
     s3_object_metadata = {key.replace("x-amz-meta-", ""): s3_object.metadata[key] for key in s3_object.metadata.keys()}
     return s3_object_key, s3_object_metadata