https://serverless-stack.com/ logo
Join Slack
Powered by
I'm going though the identity pool section of the ...
# help
m
I'm going though the identity pool section of the walkthough and trying to grant the identity pool authenticated role permissions to talk to to api gateway: https://serverless-stack.com/chapters/configure-cognito-identity-pool-in-cdk.html Previously in serverless.yaml I had
Copy code
- Effect: 'Allow'
   Action:
     - 'execute-api:Invoke'
   Resource:
     Fn::Join:
       - ''
       - - 'arn:aws:execute-api:'
         - Ref: AWS::Region
         - ':'
         - Ref: AWS::AccountId
         - ':'
         - Ref: ApiGatewayRestApi
         - '/*'
What would be the equivalent in cdk given I have a 
api = new sst.Api
Copy code
this.role.addToPolicy(
  new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ['execute-api:Invoke'],
    resources: [api.httpApi.???],
  }),
)
f
Copy code
const resourceArn = Stack.of(this).formatArn({
  service: "execute-api",
  resourceName: `*`,
  resource: api.httpApi.httpApiId,
});
and then
Copy code
resources: [resourceArn],
Alternatively, if you are using 
sst.Auth
to create the Identity Pool, you can just do:
Copy code
const auth = sst.Auth(...);
auth.attachPermissionsForAuthUsers([api]);
The guide is a bit out dated, @Jay is going to update them to use new SST constructs.
3 Views
Open in Slack
PreviousNext
Powered by