AWS CDK S3 Bucket Policy Not Being Applied Correctly in Production Stack
I've spent hours debugging this and I'm using AWS CDK version 2.50.0 to manage my infrastructure, and I've encountered an scenario where the S3 bucket policy I defined in my production stack is not being applied as expected... In my `lib/my-stack.ts`, I have the following code to create an S3 bucket with a policy that allows read access to a specific IAM role: ```typescript import * as cdk from 'aws-cdk-lib'; import * as s3 from 'aws-cdk-lib/aws-s3'; import * as iam from 'aws-cdk-lib/aws-iam'; export class MyStack extends cdk.Stack { constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { super(scope, id, props); const bucket = new s3.Bucket(this, 'MyBucket', { versioned: true, removalPolicy: cdk.RemovalPolicy.DESTROY, }); const role = new iam.Role(this, 'MyRole', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), }); bucket.addToResourcePolicy(new iam.PolicyStatement({ effect: iam.Effect.ALLOW, principals: [role], actions: ['s3:GetObject'], resources: [bucket.arn + '/*'], })); } } ``` After deploying this stack, I noticed via the AWS Console that the bucket policy was not updated as expected. The IAM role does not have access to read the objects in the bucket, and I'm receiving a `403 Forbidden` behavior when the Lambda function associated with the role tries to access the bucket. I have tried redeploying the stack several times and even manually inspecting the bucket policy JSON in the console, but it doesn't reflect the changes. I also confirmed that the role is correctly assumed by the Lambda function and that the function itself has the necessary execution permissions. Is there something I'm missing in this setup? Perhaps an scenario with the order of operations or the way CDK synthesizes the resources? This is for a REST API running on Linux. Cheers for any assistance! This is my first time working with Typescript stable. What's the best practice here?