https://serverless-stack.com/ logo
Join Slack
Powered by
Hello everyone, Does anyone know why the permissio...
# help
a
Hello everyone, Does anyone know why the permissions might not be attaching to the lambda function set at this route Im trying to extend one of the examples and have a lambda which I would like to return a list of all the users in the user pool, however, the iam policy isn't applied to the api route
Copy code
// Create an HTTP API
    const api = new sst.Api(this, "Api", {
      // Secure it with IAM Auth
      defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM,
      routes: {
        "GET /private": "src/private.handler",
        // Make an endpoint public
        "GET /public": {
          function: "src/public.handler",
          authorizationType: sst.ApiAuthorizationType.NONE,
        },
        "GET /cognito": {
          function: { 
            srcPath: "src/",
            handler: "getCognito.handler",
            environment: {
              "userPoolId": auth.cognitoUserPool?.userPoolId ?? ""
            },
          },
          authorizationType: sst.ApiAuthorizationType.NONE,
        } 
      },
    });

    api.attachPermissionsToRoute("GET /cognito", [
      new iam.PolicyStatement({
        actions: ["cognito-idp:ListUsers"],
        effect: iam.Effect.ALLOW,
        resources: [
          `arn:aws:cognito-idp:${this.region}:${this.account}:userpool:${auth.cognitoUserPool?.userPoolId}/*`,
        ],
      }),
    ])
k
Hey, not an sst expert but you have 
sst.ApiAuthorizationType.NONE
for both of your lambdas. Is this is correct?
a
Yeah just for testing as the api requires an authed user to access the route
f
Thanks for chiming in @Karolis Stulgys!
@Art Kelly if u run 
sst build
, go to 
.build/cdk.out
, and open up the CloudFormation template, do you see 
cognito-idp:ListUsers
anywhere in the json file?
a
Hi Frank, yes it does have the policy in the json file in what looks like the right place. I've removed the sensitive data on here but that looks right to me. Is it that I need to deploy fully to apply the policy? At the moment I've just been using 
sst start
and the live debug environment in 
vscode
Copy code
"ApiLambdaGETcognitoServiceRoleDefaultPolicy...": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords"
              ],
              "Effect": "Allow",
              "Resource": "*"
            },
            {
              "Action": "cognito-idp:ListUsers",
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:cognito-idp:_region_:_account_:userpool:",
                    {
                      "Ref": "AuthUserPool..."
                    },
                    "/*"
                  ]
                ]
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "PolicyName": "ApiLambdaGETcognitoServiceRoleDefaultPolicy...",
        "Roles": [
          {
            "Ref": "ApiLambdaGETcognitoServiceRole..."
          }
        ]
      },
      "Metadata": {
        "aws:cdk:path": "development-my-sst-app-my-stack/Api/Lambda_GET_--cognito/ServiceRole/DefaultPolicy/Resource"
      }
Hi Frank, I found the error for now was with the ARN not being correct. I can get the function to work with this ARN 
arn:aws :cognito-idp:${this.region}:${this.account}:userpool/*
, as looking in the debug variables, auth.cognitoUserPool?.userPoolId doesn't yet have the userPoolId. Do you know if I can get that at this stage or how would I go about setting the appropriate ARN which limits the access to the generated pool?
Open in Slack
PreviousNext
Powered by