Adrian Schweizer
10/29/2021, 12:51 PMthis.api.attachPermissions([table, identityPool]); // identityPool is authStack.auth.identityPoolId, which console.logs to "${Token[TOKEN.390]}"
Errors I get:
Checking deploy status...
dev-convento-signupApi | UPDATE_IN_PROGRESS | AWS::IAM::Policy | SignupApiLambdaPOSTactivationsServiceRoleDefaultPolicyDE00BD65
dev-convento-signupApi | UPDATE_IN_PROGRESS | AWS::IAM::Policy | SignupApiLambdaPOSTregistrationsServiceRoleDefaultPolicy9B80B04C
dev-convento-signupApi | UPDATE_FAILED | AWS::IAM::Policy | SignupApiLambdaPOSTregistrationsServiceRoleDefaultPolicy9B80B04C Actions/Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 64ca5b25-90b4-4fc7-b981-cb619b3bbcd9; Proxy: null)
dev-convento-signupApi | UPDATE_FAILED | AWS::IAM::Policy | SignupApiLambdaPOSTactivationsServiceRoleDefaultPolicyDE00BD65
dev-convento-signupApi | UPDATE_ROLLBACK_COMPLETE | AWS::IAM::Policy | SignupApiLambdaPOSTactivationsServiceRoleDefaultPolicyDE00BD65
dev-convento-signupApi | UPDATE_ROLLBACK_COMPLETE | AWS::IAM::Policy | SignupApiLambdaPOSTregistrationsServiceRoleDefaultPolicy9B80B04C
dev-convento-signupApi | UPDATE_FAILED | AWS::CloudFormation::Stack | dev-convento-signupApi
❌ dev-convento-signupApi failed: Actions/Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 64ca5b25-90b4-4fc7-b981-cb619b3bbcd9; Proxy: null)
Stack dev-convento-signupApi
Status: failed
Error: Actions/Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 64ca5b25-90b4-4fc7-b981-cb619b3bbcd9; Proxy: null)
thdxr
10/29/2021, 12:59 PMAdrian Schweizer
10/29/2021, 1:04 PMcognitoCfnIdentityPool
property of Auth object?thdxr
10/29/2021, 1:05 PMthdxr
10/29/2021, 1:05 PMthdxr
10/29/2021, 1:06 PMAdrian Schweizer
10/29/2021, 1:07 PMAdrian Schweizer
10/29/2021, 1:08 PMError: The specified permissions are not supported.
at /home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/util/permission.ts:208:13
at Array.forEach (<anonymous>)
at attachPermissionsToRole (/home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/util/permission.ts:77:15)
at Function.attachPermissions (/home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/Function.ts:375:30)
at /home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/Api.ts:314:41
at Array.forEach (<anonymous>)
at Api.attachPermissions (/home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/Api.ts:314:8)
at new SignupApiStack (/home/adsc/projects/convento/stacks/SignupApistack.js:28:16)
at Object.main (/home/adsc/projects/convento/stacks/index.js:19:27)
at Object.<anonymous> (/home/adsc/projects/convento/.build/run.js:93:16)
thdxr
10/29/2021, 1:08 PMAdrian Schweizer
10/29/2021, 1:08 PMAdrian Schweizer
10/29/2021, 1:08 PMAdrian Schweizer
10/29/2021, 1:23 PMAdrian Schweizer
10/29/2021, 1:23 PMthdxr
10/29/2021, 1:29 PMAdrian Schweizer
10/29/2021, 1:36 PMAdrian Schweizer
10/29/2021, 1:43 PMAdrian Schweizer
10/29/2021, 1:43 PMthdxr
10/29/2021, 1:44 PMthdxr
10/29/2021, 1:44 PMthdxr
10/29/2021, 1:44 PMAdrian Schweizer
10/29/2021, 1:48 PMAdrian Schweizer
10/29/2021, 1:48 PMAdrian Schweizer
10/29/2021, 1:49 PMAdrian Schweizer
10/29/2021, 1:50 PMthdxr
10/29/2021, 1:51 PMthdxr
10/29/2021, 1:51 PMthdxr
10/29/2021, 1:51 PMAdrian Schweizer
10/29/2021, 1:55 PMAdrian Schweizer
10/29/2021, 1:56 PMthdxr
10/29/2021, 1:56 PMthdxr
10/29/2021, 1:56 PMthdxr
10/29/2021, 1:57 PMAdrian Schweizer
10/29/2021, 1:57 PMAdrian Schweizer
10/29/2021, 1:58 PMAdrian Schweizer
10/29/2021, 1:58 PMAdrian Schweizer
10/29/2021, 1:58 PMthdxr
10/29/2021, 1:59 PMthdxr
10/29/2021, 1:59 PMAdrian Schweizer
10/29/2021, 2:01 PMthdxr
10/29/2021, 2:04 PMAdrian Schweizer
10/29/2021, 2:04 PMthdxr
10/29/2021, 2:04 PMthdxr
10/29/2021, 2:05 PMAdrian Schweizer
10/29/2021, 2:13 PM// Allow the API to access the table and identity pool
this.api.attachPermissions([
table,
new iam.PolicyStatement({
actions: [
"cognito-identity:*"
],
effect: iam.Effect.ALLOW,
resources: [
"arn:aws:cognito-identity:eu-central-1:787845945917:identitypool/:" + identityPool,
],
}),
]);
Adrian Schweizer
10/29/2021, 2:13 PMthdxr
10/29/2021, 2:13 PMactions: ["*"]
thdxr
10/29/2021, 2:13 PMthdxr
10/29/2021, 2:14 PMAdrian Schweizer
10/29/2021, 2:16 PMimport * as sst from "@serverless-stack/resources";
import * as iam from "@aws-cdk/aws-iam";
export default class SignupApiStack extends sst.Stack {
// Public reference to the API
api;
constructor(scope, id, props) {
super(scope, id, props);
const { table, identityPool } = props;
// Create the API
this.api = new sst.Api(this, "SignupApi", {
defaultAuthorizationType: sst.ApiAuthorizationType.NONE,
defaultFunctionProps: {
environment: {
TABLE_NAME: table.tableName,
IDENTITY_POOL: identityPool,
},
},
routes: {
"POST /registrations": "src/registration/register.main",
"POST /activations": "src/registration/activate.main",
},
});
// Allow the API to access the table and identity pool
this.api.attachPermissions([
table,
new iam.PolicyStatement({
actions: [
"*"
],
effect: iam.Effect.ALLOW,
resources: [
"arn:aws:cognito-identity:eu-central-1:787845945917:identitypool/:" + identityPool,
],
}),
]);
// Show the API endpoint in the output
this.addOutputs({
ApiEndpoint: this.api.url,
});
}
}
Adrian Schweizer
10/29/2021, 2:17 PMthdxr
10/29/2021, 2:19 PMthdxr
10/29/2021, 2:19 PMnew sst.Api(_, _, {
permissions: [...]
})
Adrian Schweizer
10/29/2021, 2:20 PMAdrian Schweizer
10/29/2021, 2:20 PMAdrian Schweizer
10/29/2021, 2:29 PMAdrian Schweizer
10/29/2021, 2:35 PMAdrian Schweizer
10/29/2021, 2:36 PMGetOpenIdTokenForDeveloperIdentity
callAdrian Schweizer
10/29/2021, 2:36 PMAdrian Schweizer
10/29/2021, 3:33 PMnew iam.PolicyStatement({
actions: [
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
],
effect: iam.Effect.ALLOW,
resources: [
"*",
],
})
Adrian Schweizer
10/29/2021, 3:38 PMGetOpenIdTokenForDeveloperIdentity
action doesn't support resource definitions. Unfortunately, I haven't been able to find an exhaustive list of iam policy actions and which resources they supportAdrian Schweizer
10/29/2021, 3:41 PMAdrian Schweizer
10/29/2021, 3:42 PM