Generated permissions insufficient to deploy to Lambda

When I try to deploy to Lambda from a pipeline with a CloudFormationCreateUpdateStackAction action, the deployment fails due to insufficient permissions.

Reproduction Steps

1. Follow https://docs.aws.amazon.com/cdk/latest/guide/codepipeline_example.html
2. Pipeline will fail

• Error shown is “UPDATE_FAILED Your access has been denied by S3, please make sure your request credentials have permission to GetObject for […]. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; […])”
• Further inspection reveals that the KMS key used with the source code bucket doesn’t whitelist the execution role for the Lambda function.

Workaround

Using the following class instead of CloudFormationCreateUpdateStackAction will grant the required permissions:

class FixedStackAction extends codepipeline_actions.CloudFormationCreateUpdateStackAction {
  bound(scope: any, stage: any, options: any): any {
    const result = super.bound(scope, stage, options);
    options.bucket.grantRead((this as any)._deploymentRole);
    return result;
  }
}

Suggested fix

Review adding grantRead() to CloudFormationCreateUpdateStackAction as appropriate.