AWS CDK: Add a specific S3 resource to IAM policy

Question

I want to create a lambda function with a Role that reads/writes to a specific S3 bucket. Below is the code I have written but in the AWS Console Policy, its not showing a the bucket arn instead its showing as s3:::[object Object] Am I missing something?

const role = new IAM.Role(this, 'MyRole', {
      assumedBy: new IAM.ServicePrincipal('lambda.amazonaws.com'),
      roleName: 'DefaultRoleName'
    });

    role.addToPolicy(new IAM.PolicyStatement({
      resources: [lambda_source.bucketArn],
      actions: ['s3:GetObject', 'lambda:InvokeFunction']
    }));

    // lambda_source.grantReadWrite(role) // I have tried this, and this is also outputs the same result.

    const myLambda = new lambda.Function(this, 'MYLHandler', {
      runtime: lambda.Runtime.NODEJS_12_X,
      code: lambda.Code.fromBucket(lambda_source.bucketName, 'lambda.zip'),
      handler: 'index.handler',
      functionName: 'MyLambda',
      role: role
    });

Here is the output in the AWS console IAM role policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "lambda:InvokeFunction"
            ],
            "Resource": "arn:aws:s3:::[object Object]",
            "Effect": "Allow"
        }
    ]
}

Answer 1

You could import the bucket and give the permissions:

const bucket = Bucket.fromBucketAttributes(this, 'ImportedBucket', {
    bucketArn: 'arn:aws:s3:::my-bucket'
});

// now you can just call methods on the bucket
bucket.grantRead(mylambda);

Answer 2

lambda_source.bucketArn is an object and not a string like you are expecting. Print out the object to see what it actually is and whether or not it contains a field with the ARN.