https://pulumi.com logo
Powered by
#typescript
Title
# typescript
a

abundant-hair-53100

09/13/2022, 7:22 AM
Hei guys, I’m trying to set a policy for a lambda to run post user confirmation in cognito and I want to give it permissions to just be able to PUT in a usersTable but I get this error My code:
Copy code
const confirmUserIamRolePolicy = new aws.iam.Policy(
  'confirm-user-signup-role-policy',
  {
    policy: JSON.stringify({
      Version: '2012-10-17',
      Statement: [
        {
          Effect: 'Allow',
          Action: [DBAction.Put],
          Resource: usersTable.arn.apply((arn) => `${arn}`),
        },
      ],
    }),
  }
)

export const confirmUserIamRole = new aws.iam.Role('confirm-user-signup-role', {
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
    Service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>',
  }),
  managedPolicyArns: [confirmUserIamRolePolicy.arn],
})

const confirmUserIamRolePolicyAttachment = new aws.iam.PolicyAttachment(
  'confirm-user-signup-role-policy-attachment',
  {
    policyArn: confirmUserIamRolePolicy.arn,
    roles: [confirmUserIamRole],
  }
)

export const postConfirmationLambda = new aws.lambda.CallbackFunction(
  'post-confirmation-signup-lambda',
  {
    runtime: 'nodejs14.x',
    callback: confirmUserSignupHandler,
    role: confirmUserIamRole,
    environment: {
      variables: {
        USERS_TABLE: usersTable.name,
        REGION: region,
      },
    },
  }
)
In the docs, I only see examples of 
Resource: '*'
but I don’t want that. And I think the arn is not resolved at the time of execution for the Policy. Is this correct?
m

millions-furniture-75402

09/13/2022, 12:52 PM
Your output isn't applied which results in a malformed JSON document
what is 
Action: [DBAction.Put]
?
I think you have to apply 
confirmUserIamRolePolicy
's arn
Also, you might using interpolate instead.
Copy code
pulumi.interpolate`${usersTable.arn}`,
fwiw, here's an example of something similar I have:
Copy code
new aws.iam.RolePolicyAttachment(
  `${appName}-lambda-role-attachment`,
  {
    role: applicationRole,
    policyArn: new aws.iam.Policy(`${appName}-lambda-policy`, {
      policy: {
        Version: "2012-10-17",
        Statement: [
          {
            Sid: "DynamoDBCrud",
            Effect: "Allow",
            Action: [
              "dynamodb:GetItem",
              "dynamodb:DeleteItem",
              "dynamodb:PutItem",
              "dynamodb:Scan",
              "dynamodb:Query",
              "dynamodb:UpdateItem",
              "dynamodb:BatchWriteItem",
              "dynamodb:BatchGetItem",
              "dynamodb:DescribeTable",
              "dynamodb:ConditionCheckItem",
            ],
            Resource: [
              pulumi.interpolate`${eventTransactionsDdbTableArn}`,
              pulumi.interpolate`${eventTransactionsDdbTableArn}/index/*`,
            ]
🙌 1
a

abundant-hair-53100

09/13/2022, 2:52 PM
Perfect! Thank you very much!
2 Views
Powered by