Open jamime opened 2 years ago
Hey @jamime :wave: thanks for raising this! Can you try to set NotResource
's value to an array? https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html
Using an array gives the same error message.
should have required property 'Resource'
[
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"NotResource": ["arn:aws:sns:*:*:*"]
}
]
Hey @jamime thanks for the clarification! I will mark this as a feature request to support NotResource
, however in the mean time can you see if mixing DENY/ALLOW policies will accomplish this?
[
{
"Effect": "Deny",
"Action": ["sns:Publish"],
"Resource": ["arn:aws:sns:*:*:*"]
},
{
"Effect": "Allow",
"Action": ["sns:Publish"],
"Resource": ["*"]
}
]
Using the following Lambda code we are able to send messages via SMS
import { SNSClient, PublishCommand } from '@aws-sdk/client-sns'
const client = new SNSClient()
/**
* Publish a message to a phone number
* @param {string} number - phone number of recipient
* @param {string} [message] - message to send to phone number
* @returns {import('@aws-sdk/client-sns').PublishCommandOutput}
*/
async function publish(number, message) {
/** @type {import('@aws-sdk/client-sns').PublishCommandInput} */
const input = {
PhoneNumber: number || '+5555555555',
Message: message || 'SMS from Lambda!',
}
/** @type {import('@aws-sdk/client-sns').PublishCommand} */
const command = new PublishCommand(input)
const response = await client.send(command)
return response
}
/**
* @type {import('@types/aws-lambda').APIGatewayProxyHandler}
*/
export async function handler(event) {
const { number, message } = event?.body || {}
const response = await publish(number, message)
return {
statusCode: 200,
body: JSON.stringify(response),
}
}
Before opening, please confirm:
How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
v16.14.0
Amplify CLI Version
7.6.22
What operating system are you using?
Mac
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No manual changes made
Amplify Categories
function
Amplify Commands
push
Describe the bug
Unable to use
NotResource
inamplify/backend/function/authCreateAuthChallenge/custom-policies.json
. I want to grant access to SNS publish to all mobile numbers, but not a SNS topic.Expected behavior
amplify push function authCreateAuthChallenge
should work with this policy file.Reproduction steps
amplify init
amplify add function
and name itauthCreateAuthChallenge
.amplify/backend/function/authCreateAuthChallenge/custom-policies.json
to includeGraphQL schema(s)
Log output
Additional information
I can set an inline policy using the same document via the AWS console.