Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't grant ListUsers permission to Lambda #1375

Closed
FBS-Alex opened this issue Apr 25, 2024 · 5 comments
Closed

Can't grant ListUsers permission to Lambda #1375

FBS-Alex opened this issue Apr 25, 2024 · 5 comments
Labels
feature-request New feature or request function Issue pertaining to Amplify Function

Comments

@FBS-Alex
Copy link

Environment information

System:
  OS: Windows 11 10.0.22631
  CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1260P
  Memory: 10.24 GB / 31.75 GB
Binaries:
  Node: 21.6.2 - C:\Program Files\nodejs\node.EXE
  Yarn: 4.1.1 - C:\Program Files\nodejs\yarn.CMD
  npm: 10.5.0 - C:\Program Files\nodejs\npm.CMD
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/backend: 0.13.2
  @aws-amplify/backend-cli: 0.13.0
  aws-amplify: 6.0.30
  aws-cdk: 2.138.0
  aws-cdk-lib: 2.138.0
  typescript: 5.4.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!                                                                                                                      !!
!!  This software has not been tested with node v21.6.2.                                                                !!
!!  Should you encounter odd runtime issues, please try using one of the supported release before filing a bug report.  !!
!!                                                                                                                      !!
!!  This software is currently running on node v21.6.2.                                                                 !!
!!  As of the current release of this software, supported node releases are:                                            !!
!!  - ^20.0.0 (Planned end-of-life: 2026-04-30)                                                                         !!
!!  - ^18.0.0 (Planned end-of-life: 2025-04-30)                                                                         !!
!!                                                                                                                      !!
!!  This warning can be silenced by setting the JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION environment variable.        !!
!!                                                                                                                      !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
AWS environment variables:
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
  AWS_STS_REGIONAL_ENDPOINTS = regional
No CDK environment variables

Description

I'm trying to create an AdminQueries Rest API, but I can't grant the ListUsers permission to the Lambda function.
Basically trying to do something like in this example
But since the cognito-idp:ListUsers permission is not mapped to any action it doesn't work. The example uses the manageUsers action but it doesn't contain this permission so the example itself doesn't work either.

@FBS-Alex FBS-Alex added the pending-triage Incoming issues that need categorization label Apr 25, 2024
@ykethan
Copy link
Member

ykethan commented Apr 25, 2024

Hey @FBS-Alex, thank you for reaching out. Marking this as feature request to provide ListUsers permissions.

but you be add the permissions using the override on the backend

const backend = defineBackend({
  auth,
  data,
  demoFunction,
});

backend.demoFunction.resources.lambda.addToRolePolicy(<your-policy-statement>);

@ykethan ykethan added feature-request New feature or request function Issue pertaining to Amplify Function and removed pending-triage Incoming issues that need categorization labels Apr 25, 2024
@FBS-Alex
Copy link
Author

Thank you for the reply @ykethan
I already tried that but it's giving me a circular dependency error:
Error [ValidationError]: Circular dependency between resources: [auth179371D7, data7552DF31, apigatewaystackE9277FBE, function1351588B]

For reference, my backend.ts:

import {defineBackend} from '@aws-amplify/backend';
import {auth} from './auth/resource';
import {data} from './data/resource';
import {adminActions} from "./functions/admin-actions/resource";
import {AuthorizationType, CognitoUserPoolsAuthorizer, Cors, LambdaRestApi} from "aws-cdk-lib/aws-apigateway";
import {Duration, Stack} from "aws-cdk-lib";
import {PolicyStatement} from "aws-cdk-lib/aws-iam";

const backend = defineBackend({
    auth,
    data,
    adminActions
});

backend.adminActions.resources.lambda.addToRolePolicy(new PolicyStatement({
    actions: ['cognito-idp:ListUsers', 'cognito-idp:ListUsersInGroup'],
    resources: [backend.auth.resources.userPool.userPoolArn],
}));

const apiGatewayStack = backend.createStack("apigateway-stack");

const authorizer = new CognitoUserPoolsAuthorizer(apiGatewayStack, 'AdminActionsAuthorizer', {
    cognitoUserPools: [backend.auth.resources.userPool]
});

// create a REST API resource
const adminActionsAPI = new LambdaRestApi(apiGatewayStack, "AdminActions", {
    handler: backend.adminActions.resources.lambda,
    defaultCorsPreflightOptions: {
        allowOrigins: Cors.ALL_ORIGINS,
        allowMethods: Cors.ALL_METHODS,
        allowHeaders: Cors.DEFAULT_HEADERS,
        maxAge: Duration.minutes(5),
    },
    defaultMethodOptions: {
        authorizationType: AuthorizationType.COGNITO,
        authorizer
    }
});

// patch the custom REST API resource to the expected output configuration
backend.addOutput({
    custom: {
        apiId: adminActionsAPI.restApiId,
        apiEndpoint: adminActionsAPI.url,
        apiName: adminActionsAPI.restApiName,
        apiRegion: Stack.of(apiGatewayStack).region,
    },
});

@ykethan
Copy link
Member

ykethan commented Apr 26, 2024

@FBS-Alex on quick test, I was able to workaround the issue by using the attachInlinePolicy and creating the policy in the auth stack.

const backend = defineBackend({
  auth,
  demoFunction,
  data,
});

const lambdaFunction = backend.demoFunction.resources.lambda;

lambdaFunction.role?.attachInlinePolicy(
  new iam.Policy(backend.auth.resources.userPool, "AllowListUsers", {
    statements: [
      new iam.PolicyStatement({
        actions: ["cognito-idp:ListUsers"],
        resources: [backend.auth.resources.userPool.userPoolArn],
      }),
    ],
  })
);

@FBS-Alex
Copy link
Author

@ykethan Thanks a lot, that worked :)

@ykethan
Copy link
Member

ykethan commented Jul 23, 2024

Closing this issue as this is now supported, documentation providing this: https://docs.amplify.aws/react/build-a-backend/auth/grant-access-to-auth-resources/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request New feature or request function Issue pertaining to Amplify Function
Projects
None yet
Development

No branches or pull requests

2 participants