https://serverless-stack.com/ logo
Join Slack
Powered by
I'm having some confusion with `attachPermissions`...
# help
j
I'm having some confusion with 
attachPermissions
. This does not work, I get an error `Error: The specified grant method is incorrect.`:
Copy code
scheduled.attachPermissions([
      [topic, "grantPublish"],
      [table, "grantReadData"],
    ]);
but this does work, no errors:
Copy code
scheduled.attachPermissions([topic, "grantPublish"]);
    scheduled.attachPermissions([table, "grantReadData"]);
Can someone explain this to me? I thought both would work.
f
Hey @Jon Holman, I’m guessing 
topic
and 
table
are instances of 
sst.Topic
and 
sst.Table
constructs.
Can you try this:
Copy code
scheduled.attachPermissions([
      [topic.snsTopic, "grantPublish"],
      [table.dynamodbTable, "grantReadData"],
    ]);
This 2nd approach you shared is not doing what you expected. This
Copy code
scheduled.attachPermissions([topic, "grantPublish"]);
grants 2 permissions. 
sns:*
permission to the 
topic
, and 
grantPublish:*
permission to 
*
. The reason it worked is b/c, 
sns:*
includes the 
sns:Publish
permission, and 
grantPublish:*
is an invalid permission, which is ignored by IAM.
Let me know if that makes sense.
ö
Yeah, you need to provide the name of the method for the underlying construct
SST will call it like this (sort of):
Copy code
array[0](array[1])
This basically means that the second element of the array must be an instance method for the underlying construct
This is not working, because 
topic
does not have a method called 
grantPublish
to call for.
Copy code
[topic, "grantPublish"]
And for the table:
j
@Frank thanks. I'm using the demo app as my starting point, so table is just like in https://github.com/serverless-stack/demo-notes-app/blob/main/stacks/ApiStack.js . The SNS Topic is actually:
Copy code
import * as sns from "@aws-cdk/aws-sns";
import * as snsSubscriptions from "@aws-cdk/aws-sns-subscriptions";
...
const topic = new sns.Topic(this, "NotesEmailReminders", {
      displayName: "email reminders",
    });
topic.addSubscription(new snsSubscriptions.EmailSubscription("jon..."));
initially I tried SST's topic, but I couldn't get the email subscription created with that.
Thanks @Ömer Toraman. That makes sense. The problem I'm having is with table. I'm trying to follow the example from https://github.com/serverless-stack/demo-notes-app/blob/main/stacks/ApiStack.js#L34 but I want my scheduled function to only have read access. When I try table. command+space or table.dynamodbTable. I don't see any grant options. How is that table parameter available for line 34 in the demo app but doesn't have grant options available?
It looks like this works:
Copy code
scheduled.attachPermissions([
      [topic, "grantPublish"],
      [table.dynamodbTable, "grantReadData"],
    ]);
Thanks, @Frank and @Ömer Toraman. It seems like my VS Code is not giving me suggestions on the table being passed from the StorageStack. In that line I linked to the demo app should it be table.dynamodbTable instead of just table?
f
@Jon Holman are you referring to this line from the demo app?
Copy code
this.api.attachPermissions([table]);
This is actually right, you can pass in the SST Table or table.dynamodbTable. Both works. However, 
[table.dynamodbTable, "grantReadData"]
works, but 
[table, "grantReadData"]
doesn’t b/c the 
grantReadData()
doesn’t exist on table.
As a side note, you can write what you have above like this:
Copy code
const topic = new sst.Topic(this, "NotesEmailReminders", ...);
topic.snsTopic.addSubscription(
  new snsSubscriptions.EmailSubscription("jon...")
);
topic.snsTopic
gives you the underlying SNS Topic.
j
Yes, that's right. Oh cool, thanks.
Ah, I was missing the .snsTopic part. Thanks.
3 Views
Open in Slack
PreviousNext
Powered by