https://serverless-stack.com/ logo
#help
Title
# help
a

Art Kelly

05/02/2022, 10:53 AM
Hello everyone, Does anyone know why the permissions might not be attaching to the lambda function set at this route Im trying to extend one of the examples and have a lambda which I would like to return a list of all the users in the user pool, however, the iam policy isn't applied to the api route
Copy code
// Create an HTTP API
    const api = new sst.Api(this, "Api", {
      // Secure it with IAM Auth
      defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM,
      routes: {
        "GET /private": "src/private.handler",
        // Make an endpoint public
        "GET /public": {
          function: "src/public.handler",
          authorizationType: sst.ApiAuthorizationType.NONE,
        },
        "GET /cognito": {
          function: { 
            srcPath: "src/",
            handler: "getCognito.handler",
            environment: {
              "userPoolId": auth.cognitoUserPool?.userPoolId ?? ""
            },
          },
          authorizationType: sst.ApiAuthorizationType.NONE,
        } 
      },
    });

    api.attachPermissionsToRoute("GET /cognito", [
      new iam.PolicyStatement({
        actions: ["cognito-idp:ListUsers"],
        effect: iam.Effect.ALLOW,
        resources: [
          `arn:aws:cognito-idp:${this.region}:${this.account}:userpool:${auth.cognitoUserPool?.userPoolId}/*`,
        ],
      }),
    ])
k

Karolis Stulgys

05/02/2022, 11:18 AM
Hey, not an sst expert but you have
sst.ApiAuthorizationType.NONE
for both of your lambdas. Is this is correct?
a

Art Kelly

05/02/2022, 11:32 AM
Yeah just for testing as the api requires an authed user to access the route
f

Frank

05/02/2022, 8:44 PM
Thanks for chiming in @Karolis Stulgys!
@Art Kelly if u run
sst build
, go to
.build/cdk.out
, and open up the CloudFormation template, do you see
cognito-idp:ListUsers
anywhere in the json file?
a

Art Kelly

05/03/2022, 7:42 AM
Hi Frank, yes it does have the policy in the json file in what looks like the right place. I've removed the sensitive data on here but that looks right to me. Is it that I need to deploy fully to apply the policy? At the moment I've just been using
sst start
and the live debug environment in
vscode
Copy code
"ApiLambdaGETcognitoServiceRoleDefaultPolicy...": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
              ],
              "Effect": "Allow",
              "Resource": "*"
            },
            {
              "Action": "cognito-idp:ListUsers",
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:cognito-idp:_region_:_account_:userpool:",
                    {
                      "Ref": "AuthUserPool..."
                    },
                    "/*"
                  ]
                ]
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "PolicyName": "ApiLambdaGETcognitoServiceRoleDefaultPolicy...",
        "Roles": [
          {
            "Ref": "ApiLambdaGETcognitoServiceRole..."
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "development-my-sst-app-my-stack/Api/Lambda_GET_--cognito/ServiceRole/DefaultPolicy/Resource"
      }
Hi Frank, I found the error for now was with the ARN not being correct. I can get the function to work with this ARN
arn:aws :cognito-idp:${this.region}:${this.account}:userpool/*
, as looking in the debug variables, auth.cognitoUserPool?.userPoolId doesn't yet have the userPoolId. Do you know if I can get that at this stage or how would I go about setting the appropriate ARN which limits the access to the generated pool?