Amending AWS Amplify Lambda permissions with a custom Cloudformation template
If you want to extend the permissions that one of your AWS Amplify lambda functions has, then read on!
First create a new folder in amplify/backend/
called perms
.
Add a subfolder with the name of lambdaPermissions
.
Within the lambdaPermissions
folder, create two files - parameters.json
and template_lambdaPermissions.json
.
In parameters.json
, add the params you need to access in your Cloudformaton template (template_lambdaPermissions.json
).
Note: Remember to follow the parameter naming convention that amplify requires:
{
"apiresourcesHubGraphQLAPIIdOutput": {
"Fn::GetAtt": ["resourcesHub", "Outputs.GraphQLAPIIdOutput"]
},
"functionmanageCompanyLambdaExecutionRole": {
"Fn::GetAtt": ["manageCompany", "Outputs.LambdaExecutionRole"]
}
}
In template_lambdaPermissions.json
add a Cloudformation template similar to:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Applies GraphQL permissions to lambda functions",
"Parameters": {
"env": {
"Type": "String"
},
"apiresourcesHubGraphQLAPIIdOutput": {
"Type": "String",
"Default": "apiresourcesHubGraphQLAPIIdOutput"
},
"functionmanageCompanyLambdaExecutionRole": {
"Type": "String",
"Default": "functionmanageCompanyLambdaExecutionRole"
}
},
"Conditions": {},
"Resources": {
"GraphQLPermissionsUpdate": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "GraphQL-permission-lambda",
"Roles": [
{
"Ref": "functionmanageCompanyLambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appsync:Create*",
"appsync:StartSchemaCreation",
"appsync:GraphQL",
"appsync:Get*",
"appsync:List*",
"appsync:Update*",
"appsync:Delete*"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:appsync:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":apis/",
{
"Ref": "apiresourcesHubGraphQLAPIIdOutput"
},
"/*"
]
]
}
]
}
]
}
}
}
},
"Outputs": {}
}
Finally, update your amplify/backend/backend-config.json
file to let amplify know that this resource exists.
{
"auth": {
....
},
"api": {
.....
},
"perms": {
"lambdaPermissions": {
"service": "GraphQL Permission updates",
"providerPlugin": "awscloudformation",
"dependsOn": [
{
"category": "api",
"resourceName": "resourcesHub",
"attributes": [
"GraphQLAPIIdOutput"
]
},
{
"category": "function",
"resourceName": "manageCompany",
"attributes": [
"LambdaExecutionRole"
]
}
]
}
}
}
....
Make sure to update the above with the correct resource names that you've set for your api
category / lambda function. So change resourcesHub
and manageCompany
to match the resource names you're using in your amplify project. The names of these can all be seen in the backend-config.json
file.
Once ready to deploy, run:
amplify env checkout <envName>
So in my case:
amplify env checkout develop
This will notify the amplify
CLI of changes to your templates.
Then just run amplify push
to deploy your new policy document which will be attached to your lambda function execution role.
Hope this helps!