Cognito Construct: Add grant* methods
See original GitHub issueAs per https://github.com/aws/aws-cdk/issues/6765#issuecomment-607050027, the UserPool
construct should have grant*
methods on it to give other resources (eg. lambda functions) access to various API/SDK methods.
Use Case
I want to be able to easily give my lambda functions access to call AWS API/SDK methods against my UserPool
.
Proposed Solution
References
CDK
- https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cognito.UserPool.html
- https://docs.aws.amazon.com/cdk/api/latest/docs/aws-iam-readme.html
- https://docs.aws.amazon.com/cdk/latest/guide/permissions.html
Cognito
Based on:
- https://awspolicygen.s3.amazonaws.com/policygen.html
-
ARN should follow the following format:
arn:aws:cognito-idp:<region>:<account>:<resourceType>/<resourcePath>
-
eg.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1585721272022",
"Action": [
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminGetUser"
],
"Effect": "Allow",
"Resource": "arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}"
}
]
}
Workaround:
import { UserPool } from '@aws-cdk/aws-cognito'
import { Effect, PolicyStatement } from '@aws-cdk/aws-iam'
// ..snip..
/**
* Lookup authentication UserPool
*/
const userPool = UserPool.fromUserPoolId(this, 'UserPool', userPoolId)
// ..snip..
fnHandler.addToRolePolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: [
'cognito-idp:AdminGetUser',
'cognito-idp:AdminEnableUser',
'cognito-idp:AdminDisableUser',
// etc
],
resources: [
`arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}`,
],
})
)
Other
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:31
- Comments:8 (3 by maintainers)
Top Results From Across the Web
aws-cdk/aws-cognito module - AWS Documentation
Use the grant() method to add an IAM policy statement associated with the user pool to an IAM principal's policy. const userPool =...
Read more >Amazon Cognito User Pools New Console Walkthrough
Amazon Cognito User Pools is a fully managed user directory service that allows you to add sign-in, sign-up and user management to web...
Read more >Fine-grained Access Control with Amazon Cognito Identity Pools
An overview of how to implement fine-grained access control with Amazon Cognito Identity Pools and a demonstration of using attributes from ...
Read more >CognitoIdentityProvider — Boto3 Docs 1.26.36 documentation
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the ......
Read more >Part 1 : Securing AWS API Gateway using AWS Cognito ...
Select “ANY” and then “Actions > Delete Method” · Select “/OAuthAPITest” and then “Actions > Create Method”. Select “GET” and click the tick...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks for the workaround @0xdevalias, this was an incredibly frustrating issue to try and work through. After 2 years could this maybe get actioned?
Why this feature has not been added yet 😕 Even after paying people to write code seems like lot of work.
Now I will have to create a new IAM policy and pass it to lambda so that it can access my user pool.
It really sad @aws that these important features are not getting added even after years