Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: narrow-down idp roles scope (#1974)
* fixes based on PR comments * fix: fix async push * feat: narrow-down idp roles scope * narrow down IAM update plicies for the lambda execution role
- Loading branch information
1 parent
caba157
commit ccfd508
Showing
4 changed files
with
201 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
173 changes: 173 additions & 0 deletions
173
packages/amplify-provider-awscloudformation/lib/update-idp-roles-cfn.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,173 @@ | ||
{ | ||
|
||
"UpdateRolesWithIDPFunction": { | ||
"DependsOn": [ | ||
"AuthRole", | ||
"UnauthRole" | ||
], | ||
"Type": "AWS::Lambda::Function", | ||
"Properties": { | ||
"Code": { | ||
"ZipFile": { | ||
"Fn::Join": [ | ||
"\n", | ||
[ | ||
"const response = require('cfn-response');", | ||
"const aws = require('aws-sdk');", | ||
"let responseData = {};", | ||
"exports.handler = function(event, context) {", | ||
" try {", | ||
" let authRoleName = event.ResourceProperties.authRoleName;", | ||
" let unauthRoleName = event.ResourceProperties.unauthRoleName;", | ||
" let idpId = event.ResourceProperties.idpId;", | ||
" let promises = [];", | ||
" let authParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'authenticated'}}}]};", | ||
" let unauthParamsJson = { 'Version': '2012-10-17','Statement': [{'Effect': 'Allow','Principal': {'Federated': 'cognito-identity.amazonaws.com'},'Action': 'sts:AssumeRoleWithWebIdentity','Condition': {'StringEquals': {'cognito-identity.amazonaws.com:aud': idpId},'ForAnyValue:StringLike': {'cognito-identity.amazonaws.com:amr': 'unauthenticated'}}}]};", | ||
" if (event.RequestType == 'Delete') {", | ||
" delete authParamsJson.Statement.Condition;", | ||
" delete unauthParamsJson.Statement.Condition;", | ||
" let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};", | ||
" let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};", | ||
" const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});", | ||
" promises.push(iam.updateAssumeRolePolicy(authParams).promise());", | ||
" promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());", | ||
" Promise.all(promises)", | ||
" .then((res) => {", | ||
" console.log(\"delete\" + res);", | ||
" console.log(\"response data\" + JSON.stringify(res));", | ||
" response.send(event, context, response.SUCCESS, res);", | ||
" });", | ||
" }", | ||
" if (event.RequestType == 'Update' || event.RequestType == 'Create') {", | ||
" const iam = new aws.IAM({ apiVersion: '2010-05-08', region: event.ResourceProperties.region});", | ||
" let authParams = { PolicyDocument: JSON.stringify(authParamsJson),RoleName: authRoleName};", | ||
" let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson),RoleName: unauthRoleName};", | ||
" promises.push(iam.updateAssumeRolePolicy(authParams).promise());", | ||
" promises.push(iam.updateAssumeRolePolicy(unauthParams).promise());", | ||
" Promise.all(promises)", | ||
" .then((res) => {", | ||
" console.log(\"createORupdate\" + res);", | ||
" console.log(\"response data\" + JSON.stringify(res));", | ||
" response.send(event, context, response.SUCCESS, {});", | ||
" });", | ||
" }", | ||
" } catch(err) {", | ||
" console.log(err.stack);", | ||
" responseData = {Error: err};", | ||
" response.send(event, context, response.FAILED, responseData);", | ||
" throw err;", | ||
" }", | ||
"};" | ||
] | ||
] | ||
} | ||
}, | ||
"Handler": "index.handler", | ||
"Runtime": "nodejs8.10", | ||
"Timeout": "300", | ||
"Role": { | ||
"Fn::GetAtt": [ | ||
"UpdateRolesWithIDPFunctionRole", | ||
"Arn" | ||
] | ||
} | ||
} | ||
}, | ||
"UpdateRolesWithIDPFunctionOutputs": { | ||
"Type": "Custom::LambdaCallout", | ||
"Properties": { | ||
"ServiceToken": { | ||
"Fn::GetAtt": [ | ||
"UpdateRolesWithIDPFunction", | ||
"Arn" | ||
] | ||
}, | ||
"region": { | ||
"Ref": "AWS::Region" | ||
}, | ||
"idpId": { | ||
"Fn::GetAtt": [ | ||
|
||
"Outputs.IdentityPoolId" | ||
] | ||
}, | ||
"authRoleName": { | ||
"Ref": "AuthRoleName" | ||
}, | ||
"unauthRoleName": { | ||
"Ref": "UnauthRoleName" | ||
} | ||
} | ||
}, | ||
"UpdateRolesWithIDPFunctionRole": { | ||
"Type": "AWS::IAM::Role", | ||
"Properties": { | ||
"RoleName": { | ||
"Fn::Join": [ | ||
"", | ||
[ | ||
{ | ||
"Ref": "AuthRoleName" | ||
}, | ||
"-idp" | ||
] | ||
] | ||
}, | ||
"AssumeRolePolicyDocument": { | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": [ | ||
"lambda.amazonaws.com" | ||
] | ||
}, | ||
"Action": [ | ||
"sts:AssumeRole" | ||
] | ||
} | ||
] | ||
}, | ||
"Policies": [ | ||
{ | ||
"PolicyName": "UpdateRolesWithIDPFunctionPolicy", | ||
"PolicyDocument": { | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"logs:CreateLogGroup", | ||
"logs:CreateLogStream", | ||
"logs:PutLogEvents" | ||
], | ||
"Resource": "arn:aws:logs:*:*:*" | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": "iam:UpdateAssumeRolePolicy", | ||
"Resource": { | ||
"Fn::GetAtt": [ | ||
"AuthRole", | ||
"Arn" | ||
] | ||
} | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Action": "iam:UpdateAssumeRolePolicy", | ||
"Resource": { | ||
"Fn::GetAtt": [ | ||
"UnauthRole", | ||
"Arn" | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters