#✅ - Add Cognito permission to lambda trigger in auth Gen2

5 messages · Page 1 of 1 (latest)

mystic kite
#

I'm trying to add some permission to the preSignUp lambda trigger of Auth (such as cognito:ListUsers) but cannot achieve it.

I have tried to create a custom function and use the cdk to grant the access and attach to auth trigger as:

// amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
import { UserPool, UserPoolOperation } from 'aws-cdk-lib/aws-cognito';
import { preSignUpLambda } from './functions/preSignUp/resource';

const backend = defineBackend({
  auth,
  data,
  preSignUpLambda
});

const userPool = backend.auth.resources.userPool as UserPool
userPool.addTrigger(UserPoolOperation.PRE_SIGN_UP, backend.preSignUpLambda.resources.lambda)
userPool.grant(backend.preSignUpLambda.resources.lambda, "cognito:ListUsers")

But the above solution produce the error:

The CloudFormation deployment has failed. Find more information in the CloudFormation AWS Console for this stack.
Caused By: ❌ Deployment failed: Error [ValidationError]: Circular dependency between resources: [auth179371D7, data7552DF31, function1351588B]

I can only add the trigger function by adding this in /amplify/auth/resource.ts

triggers: {
  preSignUp: preSignUpLambda
}

But if I do this, I cannot find any object of the function in backend.auth.resource
So is there any workaround to do this or it's just impossible at the moment?

Thank you in advance 10000

#

Add Cognito permission to lambda trigger in auth Gen2

upper ermine
#

You can access the function like this in backend.ts:

import { Function } from "aws-cdk-lib/aws-lambda";
const preSignUpFunction = defineFunction({...});
const backend = defineBackend({
   preSignUpFunction,
   auth: auth(preSignUpFunction),
});
const preSignUpLambda = backend.preSignUpFunction.resources.lambda as Function;
preSignUpLambda.addToRolePolicy({...});

Note that you have to wrap your auth configuration in a function so that you can pass it your function construct. So auth/resource.ts looks something like:

export const auth = (preSignUp: ConstructFactory<AmplifyFunction>) =>
  defineAuth({
    ...
    triggers: {
      preSignUp: preSignUpLambda
    }
  })
mystic kite
#

Thanks for the information.

The solution works great to get the function resource. But when adding the RolePolicy with preSignUpLambda.addToRolePolicy({...});, the error I mentioned above is still there.
The cause is while the auth backend waits for the lambda to add to userpool trigger, the lambda is waiting for the userpool to produce Role.

There's a workaround that we use preSignUpLambda.role!.attachInlinePolicy instead. Then the code will look like this:

preSignUpLambda.role!.attachInlinePolicy(new Policy(backend.auth.resources.userPool, "cognito-userpool-policy", {
  statements: [
    new PolicyStatement({
      actions: [
        "cognito-idp:ListUsers",
      ], 
      resources: [userPool.userPoolArn]
    })
  ]
}))

I leave it here in case others might face the same problem blobcorn

mental swanBOT
#

✅ - Add Cognito permission to lambda trigger in auth Gen2