Avoiding Circular References
The conversion function also needs permissions to read from the uploads bucket but allowing that won’t be as easy as before. You can try adding another read policy into this list, but CFN Lint will complain about a circular reference. Try deploying it to CloudFormation, and you’ll get the same error.
This is because SAM sets up Lambda function policies together with the IAM role for the function. To set up the function, it needs to set up the role first. To set up the role, it would need to know about the target buckets for the permissions. On the other hand, SAM sets up bucket lifecycle events, such as invoking Lambda functions, together with the bucket. So in order to set up the upload bucket, it would need to know which function reference is expecting bucket events. So the upload bucket depends on the conversion function, which depends on the role, which depends on the bucket. Hence the circular dependency.