can anyone help explain permissions in SST/CDK?
``...
# generals
Sam Hulick
08/02/2021, 10:35 PMcan anyone help explain permissions in SST/CDK?
Copy code
import * as dynamodb from "@aws-cdk/aws-dynamodb";
const sns = new sns.Topic(this, "Topic");
const table = new dynamodb.Table(this, "Table");
fun.attachPermissions([
[topic, "grantPublish"],
[table, "grantReadData"],
]);grantPublisht
thdxr
08/02/2021, 10:37 PMI believe those just reference functions that are on the base construct
thdxr
08/02/2021, 10:37 PMIf you explore topic.grant* you'll see what's available. We can probably do some typescript magic to make this more discoverable
s
Sam Hulick
08/02/2021, 10:40 PMI’m trying to figure out how to set up custom email senders in Cognito (which trigger Lambda funcs).
the AWS docs say I have to grant Cognito service principal access to invoke the Lambda func, using this command:
aws lambda add-permission --function-name lambda_arn --statement-id "CognitoLambdaInvokeAccess" --action lambda:InvokeFunction --principal <http://cognito-idp.amazonaws.com|cognito-idp.amazonaws.com>Sam Hulick
08/02/2021, 10:40 PMhow would I do that in SST?
Sam Hulick
08/02/2021, 10:42 PM Copy code
auth.attachPermissionsForTriggers([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
principals: [new iam.ServicePrincipal('<http://cognito-idp.amazonaws.com|cognito-idp.amazonaws.com>')],
actions: ['lambda:InvokeFunction'],
}),
]);Sam Hulick
08/02/2021, 10:43 PM🤔 this looks correct.. I think. just missing the resource
t
thdxr
08/02/2021, 11:11 PMcan you try this
thdxr
08/02/2021, 11:11 PM Copy code
function.grantInvoke(new iam.ServicePrincipal("<http://cognito-idp.amazonaws.com|cognito-idp.amazonaws.com>"))thdxr
08/02/2021, 11:12 PMUnfortunately not super familiar with this flow
s
Sam Hulick
08/03/2021, 12:59 AM@thdxr nice, thanks! much more terse. I’ll see how that works out once this stack is more fully fleshed out and it actually does something 😄
3 Views