Menu
TL;DR: Can Amplify CloudFormation template for a Post Authentication function configuration been manually changed to give permissions to (for example) IoT attachPrincipalPolicy?
I am using AWS Amplify and the amplify CLI to setup a new project. Overall, Amplify has made things very easy however I am stuck with this feeling that you can only go "so far" with Amplify before things become difficult or impossible to do through an Amplify controlled project.
The use case I am interested in has to do with setting up PubSub with IoT - the AWS instructions cover how to get this working but I would call this more "proof of concept" than "something that you should use in anything close to production" - it involves manually calling aws iot attach-principal-policy --policy-name 'myIoTPolicy' --principal '<YOUR_COGNITO_IDENTITY_ID>' on every single Cognito identity.
Instead what I would like to do is use a Post Authentication lambda function / event hook to call the attachPrincipalPolicy when a user logs into the website (potentially first checking to see if the policy is already attached!).
Perhaps obviously this does not "just work", I tested
var iot = new AWS.Iot();
var params = {
policyName: 'myIoTPolicy', /* required */
principal: 'XYZ123XYZ123' /* required */
};
try {
iot.attachPrincipalPolicy(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
callback(null, event);
});
} catch (e) {
console.log(e); // successful response
}
and ended up with an error like
AccessDeniedException: User: arn:aws:sts::123123123123123:assumed-role/project82382PostAuthentication-master/project82382PostAuthentication-master is not authorized to perform: iot:AttachPrincipalPolicy on resource: XYZ123XYZ123
The heart of the question is, how do I give this lambda function permissions in a way that is going to not break when / if I modify the project using the Amplify CLI? For example, I could in theory change project82382PostAuthentication-cloudformation-template.json and add some sort of configuration that would give permission to execute iot:AttachPrincipalPolicy, but this would then be removed I'd think if / when I change configuration of something causing Amplify CLI to regenerate the CloudFormation templates?
517
asked Oct 25 '25 01:10
Although it is quite the manual process, go to ./amplify/backend/function/your-function-name/your-function-name-cloud-formation-template.json and find "lambdaexecutionpolicy" -> "Properties" -> "PolicyDocument" -> "Statement". This is an array of policies. Simply add another object to the array with whatever you need. For example,
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "*"
}
Then run amplify status and you should see a pending update to your lambda. Run amplify push and those changes will be deployed to the cloud.
177
I was able to do this by updating the amplify/backend/function/{function-name}/custom-policies.json file.
I wanted to be able to call another lambda function that sits behind API Gateway so it looks like this, where "path" is the path to my endpoint and the "*" are wildcards:
See aws docs
[
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:*:*:*/*/POST/{path}"
]
}
]
In the case of sns, I imagine you could use something like the permissions that @Demetrios posted in his answer
[
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "*"
}
]
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
