https://serverless-stack.com/ logo
#help
Title
# help
a

Adrian Schweizer

10/29/2021, 12:51 PM
Does anyone know how to allow an api stack to access cognito identity pool created in an auth stack? I tried like this, but I get error messages I don't understand:
Copy code
this.api.attachPermissions([table, identityPool]); // identityPool is authStack.auth.identityPoolId, which console.logs to "${Token[TOKEN.390]}"
Errors I get:
Copy code
Checking deploy status...
dev-convento-signupApi | UPDATE_IN_PROGRESS | AWS::IAM::Policy | SignupApiLambdaPOSTactivationsServiceRoleDefaultPolicyDE00BD65 
dev-convento-signupApi | UPDATE_IN_PROGRESS | AWS::IAM::Policy | SignupApiLambdaPOSTregistrationsServiceRoleDefaultPolicy9B80B04C 
dev-convento-signupApi | UPDATE_FAILED | AWS::IAM::Policy | SignupApiLambdaPOSTregistrationsServiceRoleDefaultPolicy9B80B04C Actions/Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 64ca5b25-90b4-4fc7-b981-cb619b3bbcd9; Proxy: null)
dev-convento-signupApi | UPDATE_FAILED | AWS::IAM::Policy | SignupApiLambdaPOSTactivationsServiceRoleDefaultPolicyDE00BD65 
dev-convento-signupApi | UPDATE_ROLLBACK_COMPLETE | AWS::IAM::Policy | SignupApiLambdaPOSTactivationsServiceRoleDefaultPolicyDE00BD65 
dev-convento-signupApi | UPDATE_ROLLBACK_COMPLETE | AWS::IAM::Policy | SignupApiLambdaPOSTregistrationsServiceRoleDefaultPolicy9B80B04C 
dev-convento-signupApi | UPDATE_FAILED | AWS::CloudFormation::Stack | dev-convento-signupApi 

 ❌  dev-convento-signupApi failed: Actions/Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 64ca5b25-90b4-4fc7-b981-cb619b3bbcd9; Proxy: null)

Stack dev-convento-signupApi
  Status: failed
  Error: Actions/Condition can contain only one colon. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 64ca5b25-90b4-4fc7-b981-cb619b3bbcd9; Proxy: null)
t

thdxr

10/29/2021, 12:59 PM
Can you pass the pool itself instead of the id
a

Adrian Schweizer

10/29/2021, 1:04 PM
You mean the
cognitoCfnIdentityPool
property of Auth object?
t

thdxr

10/29/2021, 1:05 PM
Are you using the sst Auth construct?
These are the ways we support permissions, passing an arn isn't something we support
a

Adrian Schweizer

10/29/2021, 1:07 PM
hmmm
well, passing the cognitoCfnIdentityPool property didn't work:
Copy code
Error: The specified permissions are not supported.
    at /home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/util/permission.ts:208:13
    at Array.forEach (<anonymous>)
    at attachPermissionsToRole (/home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/util/permission.ts:77:15)
    at Function.attachPermissions (/home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/Function.ts:375:30)
    at /home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/Api.ts:314:41
    at Array.forEach (<anonymous>)
    at Api.attachPermissions (/home/adsc/projects/convento/node_modules/@serverless-stack/resources/src/Api.ts:314:8)
    at new SignupApiStack (/home/adsc/projects/convento/stacks/SignupApistack.js:28:16)
    at Object.main (/home/adsc/projects/convento/stacks/index.js:19:27)
    at Object.<anonymous> (/home/adsc/projects/convento/.build/run.js:93:16)
t

thdxr

10/29/2021, 1:08 PM
It sounds like you need to attach an IAM policy
a

Adrian Schweizer

10/29/2021, 1:08 PM
yeah, I just thought about that
gonna give it a try, thx
any idea what to put into actions?
just *?
t

thdxr

10/29/2021, 1:29 PM
Depends what exactly you want to give access to but * works
a

Adrian Schweizer

10/29/2021, 1:36 PM
lol i just had to google over 20 pages to even find the service id of cognito-identity
can you see a way to get the arn to use in the resources list from the Auth sst object, or do I have to build it myself?
i think I could probably just prefix the pool id with "arnawscognito-identity:" + REGION or something
t

thdxr

10/29/2021, 1:44 PM
You're looking for the identity pool arn? Or the userPool arn?
I'm not sure about the identity pool arn
Might need to build it yourself
a

Adrian Schweizer

10/29/2021, 1:48 PM
i don't have a user pool
i'm trying to make my own auth and federate it with identity pool
yeah, I constructed the arn myself and it deployed, let's see if the policy works
it seems I'm quite alone in rolling my own auth...is everyone using cognito user pools? they didn't appeal to me much, to be honest
t

thdxr

10/29/2021, 1:51 PM
I've been using cognito user pools and I don't recommend it lol. It's a terrible service and I don't think it's actually saving me any work
And does not deal with with even slightly different flows
Can you tell me more about how you're using identity pools in conjunction with your own auth? Is it for SAML?
a

Adrian Schweizer

10/29/2021, 1:55 PM
nah, it's just very primitive, and I'm not even sure if it's going to work. Just a register form, then send my own activation mail with a link, then in that route call a lambda that activates the user and creates a cognito identity pool id for it, then in the client request a token for that id from cognito identity pool
i pieced various sources together, and so far i think it SHOULD work, but documentation is very sparse
t

thdxr

10/29/2021, 1:56 PM
ah got it
I hate it 🙂
My wishes are 1. Make cloudformation faster 2. Delete cognito and start over
a

Adrian Schweizer

10/29/2021, 1:57 PM
haha
i'll post my setup once it works
unfortunately the ARN i constructed didn't work
I'm just copying the one from the error message for now, but will probably later need a way to get cognito identity pool arn from sst somehow
t

thdxr

10/29/2021, 1:59 PM
I'm not super familiar with identity pools so not sure how much I can help but can you check in the console what the arn is?
in aws console
a

Adrian Schweizer

10/29/2021, 2:01 PM
yeah, I can probably get the correct arn for now, but I'd like it to be retrieved from sst, because if I change region or something it won't be updated otherwise
t

thdxr

10/29/2021, 2:04 PM
Yeah I meant can you look it up and see what it is and then that might help you figure out how to construct it
a

Adrian Schweizer

10/29/2021, 2:04 PM
unfortunately, i still get the access denied error even with correct arn...gonna check in iam console what it actually created
t

thdxr

10/29/2021, 2:04 PM
it's probably possible to get it from the cfn resource but I don't know off the top of my head
can you share the policy you defined?
a

Adrian Schweizer

10/29/2021, 2:13 PM
Copy code
// Allow the API to access the table and identity pool
      this.api.attachPermissions([
         table,
         new iam.PolicyStatement({
            actions: [
               "cognito-identity:*"
            ],
            effect: iam.Effect.ALLOW,
            resources: [
               "arn:aws:cognito-identity:eu-central-1:787845945917:identitypool/:" + identityPool,
            ],
         }),
      ]);
i can't even find this policy anywhere in IAM console
t

thdxr

10/29/2021, 2:13 PM
did you try
actions: ["*"]
Oh wait I just realized you're attaching the permissions to the api and not a function
can I see how you're defining the api?
a

Adrian Schweizer

10/29/2021, 2:16 PM
Copy code
import * as sst from "@serverless-stack/resources";
import * as iam from "@aws-cdk/aws-iam";

export default class SignupApiStack extends sst.Stack {
   // Public reference to the API
   api;

   constructor(scope, id, props) {
      super(scope, id, props);

      const { table, identityPool } = props;

      // Create the API
      this.api = new sst.Api(this, "SignupApi", {
         defaultAuthorizationType: sst.ApiAuthorizationType.NONE,
         defaultFunctionProps: {
            environment: {
               TABLE_NAME: table.tableName,
               IDENTITY_POOL: identityPool,
            },
         },
         routes: {
            "POST   /registrations": "src/registration/register.main",
            "POST   /activations": "src/registration/activate.main",
         },
      });

      // Allow the API to access the table and identity pool
      this.api.attachPermissions([
         table,
         new iam.PolicyStatement({
            actions: [
               "*"
            ],
            effect: iam.Effect.ALLOW,
            resources: [
               "arn:aws:cognito-identity:eu-central-1:787845945917:identitypool/:" + identityPool,
            ],
         }),
      ]);

      // Show the API endpoint in the output
      this.addOutputs({
         ApiEndpoint: this.api.url,
      });
   }
}
same behaviour with just a * in access
t

thdxr

10/29/2021, 2:19 PM
Can you try specifying the permissions inline with the api creation
Copy code
new sst.Api(_, _, {
  permissions: [...]
})
a

Adrian Schweizer

10/29/2021, 2:20 PM
ok
the thing is...I have now found the policy in IAM console, and it seems correct...
hmmm, the policy is there, but it probably doesn't grant all actions. Maybe you have to grant some functions explicitely, and they aren't covered by the *
i am pretty sure that the code works in principle, because I'm seeing the cognito policy only in the signup api roles and not in the other api roles
probably need amazon support to find out why this policy doesn't allow to call the
GetOpenIdTokenForDeveloperIdentity
call
anyway, thx for your help so far, gonna update here if I get it to work
it works with this policy statement:
Copy code
new iam.PolicyStatement({
            actions: [
               "cognito-identity:GetOpenIdTokenForDeveloperIdentity",
            ],
            effect: iam.Effect.ALLOW,
            resources: [
               "*",
            ],
         })
so it's either that I still got the resource wrong (although I copied it from the error message) or it's that
GetOpenIdTokenForDeveloperIdentity
action doesn't support resource definitions. Unfortunately, I haven't been able to find an exhaustive list of iam policy actions and which resources they support
anyway, about the complete workflow, here is an older article that has a nice diagram, which shows what I'm currently trying to achieve: https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-using-developer-authenticated-identities-an-end-to-end-example/
it isn't that complicated, I'm just struggling with the environment
2 Views