search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 819 forks source link

How to update the trust policy for authRole set by `UpdateRolesWithIDPFunction`? #12835

Closed sibyl229 closed 1 year ago

sibyl229 commented 1 year ago

Amplify CLI Version

12.0.3

Question

Hi there,

To use the attributes for access control with the identity pool, I need to include sts:TagSession in the authRole's trust policy. However the trust policy seems to be modified by a Lambda called UpdateRolesWithIDPFunction after the override of the project level IAM roles is performed. Is there a way to modified the trust policy set by UpdateRolesWithIDPFunction?

My goal is to use principal tags in my S3 bucket policy, as the following:

export function override(
  resources: AmplifyS3ResourceTemplate,
  amplifyProjectInfo: AmplifyProjectInfo
) {
  resources.s3AuthPrivatePolicy.policyDocument.Statement = [
    {
      Effect: "Allow",
      Action: ["s3:PutObject", "s3:GetObject"],
      Resource: [
        {
          "Fn::Join": [
            "",
            [
              "arn:aws:s3:::",
              { Ref: "S3Bucket" },
              "/private/${aws:PrincipalTag/user_id}/*",
            ],
          ],
        },
      ],
    },
  ];
}

I have also configured the principal tags mapping as the following:

export function override(
  resources: AmplifyAuthCognitoStackTemplate,
  amplifyProjectInfo: AmplifyProjectInfo
) {
  resources.addCfnResource(
    {
      type: "AWS::Cognito::IdentityPoolPrincipalTag",
      properties: {
        IdentityPoolId: {
          Ref: "IdentityPool",
        },
        IdentityProviderName: {
          "Fn::Sub": [
            "cognito-idp.${region}.amazonaws.com/${client}",
            {
              region: {
                Ref: "AWS::Region",
              },
              client: {
                Ref: "UserPool",
              },
            },
          ],
        },
        PrincipalTags: {
          app_id: "aud",
          user_id: "sub",
        },
        UseDefaults: false,
      },
    },
    "MyIdentityPoolPrincipalTags"
  );
}

However, I need to manually change the authRole trust policy in the AWS console. Is there a way to automate this?

Thanks!

josefaidt commented 1 year ago

Hey @sibyl229 :wave: thanks for raising this and apologies for the delay! Are you currently using a project override to modify the authRole policy? This can be created with amplify override project and the authRole should be accessible on resources.authRole

sibyl229 commented 1 year ago

Hi @josefaidt thanks for the reply! I am currently using the project override to override the policy of the authRole. That works fine and wasn't the issue. The issue I have is about the trust relationship policy, and what was set in the override seems to be subsequently replaced by the Lambda called UpdateRolesWithIDPFunction. Any thoughts about that? Thanks!

josefaidt commented 1 year ago

Hey @sibyl229 thanks for clarifying and glad to hear you have that piece working! Unfortunately I do not believe we will have the ability to retain the override without the Function overwriting it, however you can use a post-push command hook and the AWS SDK to modify this after a successful push

sibyl229 commented 1 year ago

Thanks @josefaidt ! That makes sense! It might take a while before I try the suggestion. Please feel free to close the issue.

josefaidt commented 1 year ago

No worries, @sibyl229 I'll close this for now but if you run into any issues setting that up please let us know!

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.