Heya Im the following code I would like to avoid using for t Serverless Stack #help

Heya! Im the following code, I would like to avoi...

Tim V

12/09/2021, 6:57 PM

Heya! Im the following code, I would like to avoid using "*" for the permissions resources... is there a way around this where I can reference the Auth's User Pool ARN? I've tried delving into the auth object, down to the triggers to try to attach permissions, but don't seem to be getting anywhere with that.

Copy code

const auth = new Auth(this, "auth", {
      cognito: {
        userPool: {
          selfSignUpEnabled: false,
          signInAliases: { email: true },
          customAttributes: {
            PasswordUpdated: new DateTimeAttribute({ mutable: true }),
          },
        },
        triggers: {
          preAuthentication: {
            handler: "stack/cognito/pre-authentication.handler",
            permissions: [
              new PolicyStatement({
                effect: Effect.ALLOW,
                resources: ["*"],
                actions: [
                  "cognito-idp:AdminResetPassword",
                  "cognito-idp:UpdateUserAttributes",
                ],
              }),
            ],
          },
          postAuthentication: {
            handler: "stack/cognito/post-authentication.handler",
          },
          customMessage: {
            handler: "stack/cognito/custom-message.handler",
            environment: {
              URL: "https://" + customDomain.domainName,
            }
          },
        },
      },
    });

Tim V

12/09/2021, 7:06 PM

I just stumbled upon... auth.attachPermissionsForTriggers ...!

Frank

12/09/2021, 7:34 PM

Hey @Tim V I just noticed

attachPermissionsForTriggers()

isn’t in the doc. I’m going to add it.

Tim V

12/09/2021, 8:07 PM

Thanks, Frank! If I could add... I'm trying to give the triggers permission to execute cognito commands like adminResetPassword. Normally, I'd use the ARN, but it's self-referential within Auth, I think. I'm not sure how to do this.

Frank

12/09/2021, 8:09 PM

You mean you are getting an cyclic-dependent error when you try to build?

Frank

12/09/2021, 8:10 PM

btw.. updated the doc https://docs.serverless-stack.com/constructs/Auth#attaching-permissions-for-all-triggers

Tim V

12/09/2021, 8:27 PM

Thanks, I'll check out the docs. As for what I'm doing...

Tim V

12/09/2021, 8:28 PM

This, actually, worked... I can execute adminResetPassword, but I'd still like to reduce the surface of that policy.

Tim V

12/09/2021, 8:28 PM

Copy code

auth.attachPermissionsForTrigger("preAuthentication", [
      new PolicyStatement({
        effect: Effect.ALLOW,
        resources: ["*"],
        actions: ["*"],
      }),
    ]);

Tim V

12/09/2021, 8:29 PM

When I set the "resources" to ...

Copy code

resources: [auth.cognitoUserPool.userPoolArn],

... I get a Circular Dependency error. The format is nasty, but here's the error...

Tim V

12/09/2021, 8:30 PM

Error [ValidationError]: Circular dependency between resources: [apiRoutePUTuserUsernamedisable3BF9C1C1, edgefunctionEventInvokeConfigADF2DFCA, siteAliasRecordD2C115B7, apiLambdaPUTuserUsernameenableF3A35540, edgefunctionLogRetention2F06914A, siteCloudFrontInvalidation5FEAB56C, apiRoutePOSTuserdevjunopsnstackapiRoutePOSTuser455DB5B9Permission32B8E29C, apiRoutePUTuserUsernameenabledevjunopsnstackapiRoutePUTuserUsernameenable6A58B522Permission073E9827, edgefunctionF8814F17, apiRoutePUTuserUsernameenableHttpIntegration65904685d431fc874ab675c2d916b76dD972BBC9, SSTMetadata, siteDistribution706F5265, apiRoutePOSTuserDCA6C938, serverfunctionLogRetention6F448CB8, authIdentityPoolUnauthRole4ACF4320, apiRouteGETusers6B86FA17, authpreAuthenticationServiceRoleDefaultPolicyB9815067, authpreAuthenticationEventInvokeConfigA2FDBB86, authUserPoolA78B038B, authIdentityPoolAuthRole95740CDF, apiLambdaGETusers5AF75FB4, siteS3DeploymentB932FFDB, apiLambdaPOSTuserEventInvokeConfig06CB531D, authIdentityPoolRoleAttachment40DB31C0, apiLambdaGETusersServiceRoleDefaultPolicy17FA2E21, authpreAuthenticationLogRetention43ABFBAF, authIdentityPool80CA5E06, apiLambdaPUTuserUsernamedisableEventInvokeConfig2C7EFF38, apiLambdaPUTuserUsernameenableLogRetention42057A7C, apiLambdaGETusersEventInvokeConfigB8FB97BA, serverfunction2927A4DC, siteBucketAutoDeleteObjectsCustomResource9BA1679B, authIdentityPoolAuthRoleDefaultPolicy24D81566, apiLambdaGETusersLogRetentionF1D6A18A, apiLambdaPUTuserUsernamedisable91399149, apiLambdaPUTuserUsernamedisableServiceRoleDefaultPolicy327A13BA, edgefunctionCurrentVersionE90E97ED1ccc6f65cfdf0347c9a2ffcf7ece9337, apiRouteGETusersHttpIntegration314b52159fe7d2cfdb67d236a7cf0abd06CBB36C, apiRoutePUTuserUsernameenable87C6E5B8, siteDistributionOrigin1S3Origin34B0A58E, authUserPoolClientD0D8BA3B, apiRoutePUTuserUsernamedisableHttpIntegration7e4e86219fa455b4c774efef57f4956f62D649F2, apiLambdaPOSTuserServiceRoleDefaultPolicy3F336918, administrators, authcustomMessageCustomMessageCognitoF3BE8175, serverfunctionEventInvokeConfig981B5763, apiRoutePOSTuserHttpIntegrationebf5e7f27e85ef07d2fb8304fbbfcafc048E6C57, authIdentityPoolUnauthRoleDefaultPolicy1BA98428, authpreAuthenticationPreAuthenticationCognitoF39ADE00, apiLambdaPOSTuserLogRetention89A8741E, apiRouteGETusersdevjunopsnstackapiRouteGETusers35BE0A12Permission287283D6, authpostAuthenticationPostAuthenticationCognito1CB0A84E, apiLambdaPUTuserUsernamedisableLogRetentionB08D0A3A, apiLambdaPOSTuser711B3E1A, apiLambdaPUTuserUsernameenableServiceRoleDefaultPolicyC8E7066B, authpreAuthentication4E92D46F, apiRoutePUTuserUsernamedisabledevjunopsnstackapiRoutePUTuserUsernamedisableD07B6189PermissionCED27691, apiLambdaPUTuserUsernameenableEventInvokeConfigF2E8D6C3, edgefunctionServiceRoleDefaultPolicy126D416B, siteBucketPolicy0C71C997]

Open in Slack

Previous Next