Art Kelly
05/02/2022, 10:53 AM// Create an HTTP API
const api = new sst.Api(this, "Api", {
// Secure it with IAM Auth
defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM,
routes: {
"GET /private": "src/private.handler",
// Make an endpoint public
"GET /public": {
function: "src/public.handler",
authorizationType: sst.ApiAuthorizationType.NONE,
},
"GET /cognito": {
function: {
srcPath: "src/",
handler: "getCognito.handler",
environment: {
"userPoolId": auth.cognitoUserPool?.userPoolId ?? ""
},
},
authorizationType: sst.ApiAuthorizationType.NONE,
}
},
});
api.attachPermissionsToRoute("GET /cognito", [
new iam.PolicyStatement({
actions: ["cognito-idp:ListUsers"],
effect: iam.Effect.ALLOW,
resources: [
`arn:aws:cognito-idp:${this.region}:${this.account}:userpool:${auth.cognitoUserPool?.userPoolId}/*`,
],
}),
])
Karolis Stulgys
05/02/2022, 11:18 AMsst.ApiAuthorizationType.NONE
for both of your lambdas. Is this is correct?Art Kelly
05/02/2022, 11:32 AMFrank
Frank
sst build
, go to .build/cdk.out
, and open up the CloudFormation template, do you see cognito-idp:ListUsers
anywhere in the json file?Art Kelly
05/03/2022, 7:42 AMsst start
and the live debug environment in vscode
"ApiLambdaGETcognitoServiceRoleDefaultPolicy...": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "cognito-idp:ListUsers",
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:cognito-idp:_region_:_account_:userpool:",
{
"Ref": "AuthUserPool..."
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "ApiLambdaGETcognitoServiceRoleDefaultPolicy...",
"Roles": [
{
"Ref": "ApiLambdaGETcognitoServiceRole..."
}
]
},
"Metadata": {
"aws:cdk:path": "development-my-sst-app-my-stack/Api/Lambda_GET_--cognito/ServiceRole/DefaultPolicy/Resource"
}
Art Kelly
05/03/2022, 11:44 AMarn:aws :cognito-idp:${this.region}:${this.account}:userpool/*
, as looking in the debug variables, auth.cognitoUserPool?.userPoolId doesn't yet have the userPoolId. Do you know if I can get that at this stage or how would I go about setting the appropriate ARN which limits the access to the generated pool?