Amending AWS Amplify Lambda permissions with a custom Cloudformation template
If you want to extend the permissions that one of your AWS Amplify lambda functions has, then read on!
First create a new folder in amplify/backend/ called perms.
Add a subfolder with the name of lambdaPermissions.
Within the lambdaPermissions folder, create two files - parameters.json and template_lambdaPermissions.json.
In parameters.json, add the params you need to access in your Cloudformaton template (template_lambdaPermissions.json).
Note: Remember to follow the parameter naming convention that amplify requires:
{
"apiresourcesHubGraphQLAPIIdOutput": {
"Fn::GetAtt": ["resourcesHub", "Outputs.GraphQLAPIIdOutput"]
},
"functionmanageCompanyLambdaExecutionRole": {
"Fn::GetAtt": ["manageCompany", "Outputs.LambdaExecutionRole"]
}
}
In template_lambdaPermissions.json add a Cloudformation template similar to:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Applies GraphQL permissions to lambda functions",
"Parameters": {
"env": {
"Type": "String"
},
"apiresourcesHubGraphQLAPIIdOutput": {
"Type": "String",
"Default": "apiresourcesHubGraphQLAPIIdOutput"
},
"functionmanageCompanyLambdaExecutionRole": {
"Type": "String",
"Default": "functionmanageCompanyLambdaExecutionRole"
}
},
"Conditions": {},
"Resources": {
"GraphQLPermissionsUpdate": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "GraphQL-permission-lambda",
"Roles": [
{
"Ref": "functionmanageCompanyLambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"appsync:Create*",
"appsync:StartSchemaCreation",
"appsync:GraphQL",
"appsync:Get*",
"appsync:List*",
"appsync:Update*",
"appsync:Delete*"
],
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:appsync:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":apis/",
{
"Ref": "apiresourcesHubGraphQLAPIIdOutput"
},
"/*"
]
]
}
]
}
]
}
}
}
},
"Outputs": {}
}
Finally, update your amplify/backend/backend-config.json file to let amplify know that this resource exists.
{
"auth": {
....
},
"api": {
.....
},
"perms": {
"lambdaPermissions": {
"service": "GraphQL Permission updates",
"providerPlugin": "awscloudformation",
"dependsOn": [
{
"category": "api",
"resourceName": "resourcesHub",
"attributes": [
"GraphQLAPIIdOutput"
]
},
{
"category": "function",
"resourceName": "manageCompany",
"attributes": [
"LambdaExecutionRole"
]
}
]
}
}
}
....
Make sure to update the above with the correct resource names that you've set for your api category / lambda function. So change resourcesHub and manageCompany to match the resource names you're using in your amplify project. The names of these can all be seen in the backend-config.json file.
Once ready to deploy, run:
amplify env checkout <envName>
So in my case:
amplify env checkout develop
This will notify the amplify CLI of changes to your templates.
Then just run amplify push to deploy your new policy document which will be attached to your lambda function execution role.
Hope this helps!