https://serverless-stack.com/ logo
Join Slack
Powered by
Would it be possible to allow modifying the authen...
# help
s
Would it be possible to allow modifying the authenticated role assumed by federated identities in the Auth construct? Currently it is 
readonly
and set by a private method
t
which field are you referencing?
Copy code
public readonly iamAuthRole: iam.Role;
  public readonly iamUnauthRole: iam.Role;
These?
s
Yup
t
So you would like to pass these values in as props to the construct?
s
Need to change this:
Copy code
private createAuthRole(identityPool: cognito.CfnIdentityPool): iam.Role {
    const role = new iam.Role(this, "IdentityPoolAuthRole", {
      assumedBy: new iam.FederatedPrincipal(
        "<http://cognito-identity.amazonaws.com|cognito-identity.amazonaws.com>",
        {
          StringEquals: {
            "<http://cognito-identity.amazonaws.com:aud|cognito-identity.amazonaws.com:aud>": identityPool.ref,
          },
          "ForAnyValue:StringLike": {
            "<http://cognito-identity.amazonaws.com:amr|cognito-identity.amazonaws.com:amr>": "authenticated",
          },
        },
        "sts:AssumeRoleWithWebIdentity" <--- This trust policy needs to be "sts:AssumeRoleWithWebIdentity, sts:TagSession"
      ),
    });
Yeah
Having an escape hatch would be good, could pass int he entire role. It is possible currently to add policies to these roles, but sepcifically I need to modify the trust relationship of the assumedBy to allow an additional action
t
I'm not super familiar with this functionality so can you suggest how you think it makes sense to extend the 
AuthProps
to support this (I basically don't know what the options should be named)
I'll create an issue and implement this
s
Yeah, cool, let me think about this
Going to need to upstream this one to the aws cdk aswell
Necro posting on this one, but would still love to be able to extend the role; issue opened: https://github.com/serverless-stack/serverless-stack/issues/1034
4 Views
Open in Slack
PreviousNext
Powered by