Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
a
abundant-hair-53100
09/13/2022, 7:22 AMHei guys, I’m trying to set a policy for a lambda to run post user confirmation in cognito and I want to give it permissions to just be able to PUT in a usersTable but I get this error
My code:
const confirmUserIamRolePolicy = new aws.iam.Policy(
'confirm-user-signup-role-policy',
{
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: [DBAction.Put],
Resource: usersTable.arn.apply((arn) => `${arn}`),
},
],
}),
}
)
export const confirmUserIamRole = new aws.iam.Role('confirm-user-signup-role', {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
Service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>',
}),
managedPolicyArns: [confirmUserIamRolePolicy.arn],
})
const confirmUserIamRolePolicyAttachment = new aws.iam.PolicyAttachment(
'confirm-user-signup-role-policy-attachment',
{
policyArn: confirmUserIamRolePolicy.arn,
roles: [confirmUserIamRole],
}
)
export const postConfirmationLambda = new aws.lambda.CallbackFunction(
'post-confirmation-signup-lambda',
{
runtime: 'nodejs14.x',
callback: confirmUserSignupHandler,
role: confirmUserIamRole,
environment: {
variables: {
USERS_TABLE: usersTable.name,
REGION: region,
},
},
}
)In the docs, I only see examples of
Resource: '*'m
millions-furniture-75402
09/13/2022, 12:52 PMYour output isn't applied which results in a malformed JSON document
what is
Action: [DBAction.Put]I think you have to apply
confirmUserIamRolePolicyAlso, you might using interpolate instead.
pulumi.interpolate`${usersTable.arn}`,fwiw, here's an example of something similar I have:
new aws.iam.RolePolicyAttachment(
`${appName}-lambda-role-attachment`,
{
role: applicationRole,
policyArn: new aws.iam.Policy(`${appName}-lambda-policy`, {
policy: {
Version: "2012-10-17",
Statement: [
{
Sid: "DynamoDBCrud",
Effect: "Allow",
Action: [
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ConditionCheckItem",
],
Resource: [
pulumi.interpolate`${eventTransactionsDdbTableArn}`,
pulumi.interpolate`${eventTransactionsDdbTableArn}/index/*`,
]🙌 1
a
abundant-hair-53100
09/13/2022, 2:52 PMPerfect! Thank you very much!