Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cognito Construct: Add grant* methods

See original GitHub issue

As per https://github.com/aws/aws-cdk/issues/6765#issuecomment-607050027, the UserPool construct should have grant* methods on it to give other resources (eg. lambda functions) access to various API/SDK methods.

Use Case

I want to be able to easily give my lambda functions access to call AWS API/SDK methods against my UserPool.

Proposed Solution

References

CDK

Cognito

Based on:

https://awspolicygen.s3.amazonaws.com/policygen.html
- ARN should follow the following format: arn:aws:cognito-idp:<region>:<account>:<resourceType>/<resourcePath>

eg.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1585721272022",
      "Action": [
        "cognito-idp:AdminDisableUser",
        "cognito-idp:AdminEnableUser",
        "cognito-idp:AdminGetUser"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}"
    }
  ]
}

Workaround:

import { UserPool } from '@aws-cdk/aws-cognito'
import { Effect, PolicyStatement } from '@aws-cdk/aws-iam'

// ..snip..

    /**
     * Lookup authentication UserPool
     */
    const userPool = UserPool.fromUserPoolId(this, 'UserPool', userPoolId)

// ..snip..

    fnHandler.addToRolePolicy(
      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: [
          'cognito-idp:AdminGetUser',
          'cognito-idp:AdminEnableUser',
          'cognito-idp:AdminDisableUser',
          // etc
        ],
        resources: [
          `arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}`,
        ],
      })
    )

Other

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:31
Comments:8 (3 by maintainers)

Top GitHub Comments

4reactions

AndrewG-wfcommented, May 25, 2022

Thanks for the workaround @0xdevalias, this was an incredibly frustrating issue to try and work through. After 2 years could this maybe get actioned?

0reactions

ShivamJokercommented, Apr 8, 2022

Why this feature has not been added yet 😕 Even after paying people to write code seems like lot of work.

Now I will have to create a new IAM policy and pass it to lambda so that it can access my user pool.

It really sad @aws that these important features are not getting added even after years

Top Results From Across the Web

aws-cdk/aws-cognito module - AWS Documentation

Use the grant() method to add an IAM policy statement associated with the user pool to an IAM principal's policy. const userPool =...

Amazon Cognito User Pools New Console Walkthrough

Amazon Cognito User Pools is a fully managed user directory service that allows you to add sign-in, sign-up and user management to web...

Fine-grained Access Control with Amazon Cognito Identity Pools

An overview of how to implement fine-grained access control with Amazon Cognito Identity Pools and a demonstration of using attributes from ...

CognitoIdentityProvider — Boto3 Docs 1.26.36 documentation

You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the ......

Part 1 : Securing AWS API Gateway using AWS Cognito ...

Select “ANY” and then “Actions > Delete Method” · Select “/OAuthAPITest” and then “Actions > Create Method”. Select “GET” and click the tick...