AWS cognito userpools JavaScript SDK get user's policy documents

Question

For a registered user in AWS Cognito Userpools, is it possible to retrieve the policy documents attached to the user through IAM roles through JavaScript SDK?

The user case is to write a custom authorizer which authorize cognito id token and return the policy document with the IAM permission, user is capable of assuming through Cognito User Groups.

Answer 1

After carrying out further research, following approach is used to retrieve 'inline policies' attached to the user through IAM roles.

• From AWS Cognito JWT, extract role names from ARNs and using IAM SDK for JavaScript get the policy ARNs by using

  const aws = require('aws-sdk');
  let iam = new aws.IAM();
  iam.listRolePolicies({ RoleName: roleName }, function (err, data) {
      let policyNames = data["PolicyNames"];
      // Use policy names and role names to retrieve policy documents
  });
  

• Using policy names and role names in combination, retrieve the policy documents in JSON format

  iam.getRolePolicy({ PolicyName: policyName, RoleName: roleName }, 
  function (err, data) {
      let document = decodeURIComponent(data["PolicyDocument"]);
  });
  

• Next iteratively extract the statements from each policy document and build a single one.

Example code could be found in this github repository.