search

aws-samples / api-gateway-secure-pet-store

Amazon API Gateway sample using Amazon Cognito credentials through AWS Lambda
Apache License 2.0
308 stars 113 forks source link

What is the meaning "Copy and paste the same access policy we generated for the invocation role" #13

Open esumit opened 8 years ago

esumit commented 8 years ago

I followed as the documentation says, But at the end I didn't understand this line : "Copy and paste the same access policy we generated for the invocation role".

Does that mean , that make Cognito_IdentityTestPoolAuth_Role to similar to previous one ? Like below

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:", "cognito-identity:" ], "Resource": [ "" ] }, { "Sid": "Stmt1462212212000", "Effect": "Allow", "Action": [ "lambda:InvokeFunction", "execute-api:Invoke" ], "Resource": [ "arn:aws:lambda:us-east-1:XXXXXXXXX:function:zPetStoreAPIGatewayLambda", "arn:aws:execute-api:" ] }, { "Sid": "Stmt1462211764000", "Effect": "Allow", "Action": [ "cognito-identity:GetOpenIdTokenForDeveloperIdentity" ], "Resource": [ "arn:aws:cognito-identity:us-east-1:XXXXXXXXX:identitypool/us-east-1:a6fef2a4-bb3f-4e22-b9d6-xxxxxxxx" ] }, { "Sid": "Stmt1462211972000", "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-east-1:XXXXXXXXXX:table/testPetId" ] }, { "Sid": "Stmt1462212134000", "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-east-1:XXXXXXXX:table/testUserName" ] }, { "Sid": "Stmt1462212275000", "Effect": "Allow", "Action": [ "logs:" ], "Resource": [ "" ] } ] }

May you please clarify ?

sapessi commented 8 years ago

I edited your comment to remove account numbers. Please do not post policies that contain account IDs and identity pool ARNs publicly. I recommend you delete the resources you had created and start from scratch in case someone found this and took your account number. The answer is yes, make it similar.

steve-a-jones commented 8 years ago

This part of the tutorial is slightly confusing - please provide an example of the policy as you did with the other steps :)

A few questions ..

Do we also edit the trust relationship?

Do we replace the existing policy of the cognito auth role by replacing it with generated one for api gateway?

Can you provide some insight as to why these policies need to match?