Fine grained access not working

[michaelinio]

First off, thanks a lot for the writing the article and publishing this example.

I have some trouble understanding how this setup actually provides fine grained access through the lambda authoriser.

In your example, the allowPolicy function returns an IAM policy for api gateway and DynamoDB with conditions like so:

{
      Version: '2012-10-17',

      Statement: [
        {
          Action: 'execute-api:Invoke',
          Effect: 'Allow',
          Resource: this.executeApiArn,
        },
        {
          Action: ['dynamodb:UpdateItem', 'dynamodb:PutItem', 'dynamodb:DeleteItem', 'dynamodb:Query'],
          Effect: 'Allow',
          Resource: this.cartTable,
          Condition: {
            'ForAllValues:StringLike': {
              'dynamodb:LeadingKeys': tenantId,
            },
          },
        },
      ],
    }

If Im understanding your article correctly, the second policy should be asserting that the following lambda call can only access data belonging to a specific tenantId but this does not seem to work. Furthermore, in the multi-tenant-stack.ts you're granting access to the whole table so what is the point of that condition policy?

[sergiofgonzalez]

Hi, thanks the write-up and the code.

I kind of have a similar question. How does the downstream lambda assumes that role?

The first statement returned by the Lambda Authorizer is clear -- it enables the API Gateway to invoke the Lambda represented by the API endpoint, but I don't understand how the downstream Lambda can use the returned DynamoDB policy as the policy never leaves the API Gateway... those are like different scopes for the policies right?

Thanks again.