I have a question regarding how to tweak

auth.addPermissionsToAuthRole

. I assume this might have been asked before, but I can not find a clear and defintive answer in the context of SST. Essentially, I have already deployed an Auth sst stack with Cognito User Pools and its working fine for my ReactStaticApp. However, now I have a separate Infrastructure repository in which I created an Api sst stack, but I am struggling to use the same Cognito User pools already deployed for the React app. I have been trying to add IAM authentication (from the already existing User pool) to the Api SST stack by doing something very similar to a solution reported in a previous thread (adding a Policy to an IAM role). My solution gets deployed ok, but does not seem to work (I get HTTP 403 when using my existing Cognito User credentials). I assume this might not work without being able to refer to an instance of the original Auth stack? Does anyone have a suggestion for reusing an existing Auth/Cognito pools for an Api sst that is deployed in a separate repository? Thanks in advance.

Hey @max.suster, in the Auth stack, you can import the Api, something like this:

const api = `sst.Api(this, "Api", {
  httpApi: apigv2.HttpApi.fromHttpApiAttributes(this, "ImportedApi", { httpApiId });
});
auth.addPermissionsToAuthRole([api]);

Thanks for the quick response! This makes sense and I will definitely try it. However, after adding your code to the Auth stack (already deployed), and following deployment (npx sst deploy) can the existing Cognito User Pools be reused or does one have to migrate Users from the existing Pool to a newly deployed pool?

Yeah, the above code should be added to the existing Auth stack.

Hi @Frank Thanks a lot. Your solution works like a charm. The only strange thing is that I get another problem at the moment which I have not experienced before.... I deleted several times the DynamoDB stack (npx sst remove) and could see the stack is gone in the Cloud Formation AWS Console. However when I redeploy with some changes in the table fields, the stack is not updated - it uses the same fields before. Do you have any ideas why this might happen? Thanks so much again.

Ah glad u figure it out!

Maybe I was a little too quick to claim success... The really frustrating trouble now is that I am getting the infamous

{message: 'Forbidden'}

Error 403 only when I attempt to call the API via the React app using Amplify Auth. In other words, I can successfully invoke all the API enspoints via npx aws-gateway-cli-test and create/get/update DynamoDB entries in my Orders table. Cognito authentication continues to work fine for the signup/sigin in React. I realize there could be many reasons for this error, but I previously tested a simple API from the SST examples in my app, and this never happened. Do you have any pointers as to the likely reasons for getting Message Forbidden in this context? Thanks so much for your kind help.

If the Api works via

aws-gateway-cli-test

, that means the backend (Auth and Api) is hooked up correctly