From 4fb99e4cb329f9fb1a91d26d0a161290244aad80 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 10:46:11 +1030 Subject: [PATCH 1/8] remove duplicate trailing slash --- packages/serverless-deploy-iam/bin/app.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index e98f3dc..a85bb4c 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -297,7 +297,7 @@ export class ServiceDeployIAM extends cdk.Stack { }, { name: 'COGNITO', - prefix: `arn:aws:cognito-sync:${region}:${accountId}:identitypool/`, + prefix: `arn:aws:cognito-sync:${region}:${accountId}:identitypool`, qualifiers: [`${serviceName}*`], actions: [ "cognito-sync:BulkPublish", @@ -346,7 +346,7 @@ export class ServiceDeployIAM extends cdk.Stack { }, { name: 'COGNITO_IDP', - prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool/`, + prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool`, qualifiers: [`${serviceName}*`, `${region}_*`], actions: [ "cognito-idp:Create*", From 53eb5e43f0a627f3df48f456794394a9a7559235 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 10:51:18 +1030 Subject: [PATCH 2/8] add cognito-idp:CreateUserPool against all resources --- packages/serverless-deploy-iam/bin/app.ts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index a85bb4c..21de2b2 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -359,6 +359,14 @@ export class ServiceDeployIAM extends cdk.Stack { "cognito-idp:UntagResource", "cognito-idp:Update*", ] + }, + { + name: 'COGNITO_IDP_CREATEUSERPOOL', + prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool`, + qualifiers: ["*"], + actions: [ + "cognito-idp:CreateUserPool" + ] } ] } From 7657e14fc1604ed1e80ddce700a5961a96c42f9f Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 10:56:53 +1030 Subject: [PATCH 3/8] allow cognito cognito-identity:CreateIdentityPool --- packages/serverless-deploy-iam/bin/app.ts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 21de2b2..8f3e9b6 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -367,6 +367,14 @@ export class ServiceDeployIAM extends cdk.Stack { actions: [ "cognito-idp:CreateUserPool" ] + }, + { + name: 'COGNITO_IDP_IDENTITYPOOL', + prefix: `arn:aws:cognito-identity:${region}:${accountId}:identitypool`, + qualifiers: [], + actions: [ + "cognito-identity:CreateIdentityPool" + ] } ] } From 956d13fae832a599d5fe2cb3a217fe57e7bed4c4 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:01:51 +1030 Subject: [PATCH 4/8] expand cognito IAM role resource boundary --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 8f3e9b6..7d2b505 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -175,7 +175,7 @@ export class ServiceDeployIAM extends cdk.Stack { { name: 'IAM', prefix: `arn:aws:iam::${accountId}:role`, - qualifiers: [`${serviceName}*`], + qualifiers: [`*${serviceName}*`], actions: [ "iam:CreateRole", "iam:PassRole", From d4cb199ea49362204ffab57fc4e98de8ed07fdfb Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:15:24 +1030 Subject: [PATCH 5/8] allow cognito cognito-identity:SetIdentityPoolRoles --- packages/serverless-deploy-iam/bin/app.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 7d2b505..17b92e3 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -371,9 +371,10 @@ export class ServiceDeployIAM extends cdk.Stack { { name: 'COGNITO_IDP_IDENTITYPOOL', prefix: `arn:aws:cognito-identity:${region}:${accountId}:identitypool`, - qualifiers: [], + qualifiers: [`${region}_*`], actions: [ - "cognito-identity:CreateIdentityPool" + "cognito-identity:CreateIdentityPool", + "cognito-identity:SetIdentityPoolRoles" ] } ] From f24c877214926f8fa283dbe61daba8f7c866b583 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:19:55 +1030 Subject: [PATCH 6/8] allow cognito cognito-identity:SetIdentityPoolRoles - fix format --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 17b92e3..0a1b03b 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -371,7 +371,7 @@ export class ServiceDeployIAM extends cdk.Stack { { name: 'COGNITO_IDP_IDENTITYPOOL', prefix: `arn:aws:cognito-identity:${region}:${accountId}:identitypool`, - qualifiers: [`${region}_*`], + qualifiers: [`${region}:*`], actions: [ "cognito-identity:CreateIdentityPool", "cognito-identity:SetIdentityPoolRoles" From 3280d910b31d42a55d5630788bd74ec56e4f17bf Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:50:31 +1030 Subject: [PATCH 7/8] mark COGNITO with its delimiter --- packages/serverless-deploy-iam/bin/app.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 0a1b03b..1c01910 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -593,6 +593,7 @@ export class ServiceDeployIAM extends cdk.Stack { static formatResourceQualifier(serviceName: string, prefix: string, qualifiers: string[]): string[] { let delimiter = "/"; switch (serviceName) { + case "COGNITO": case "CLOUD_WATCH": case "LAMBDA": case "S3": From 7f8933e41770f0da93bc6af66e131f043be97e77 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 12:29:15 +1030 Subject: [PATCH 8/8] mark COGNITO with its delimiter --- packages/serverless-deploy-iam/bin/app.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 1c01910..4c13972 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -605,7 +605,6 @@ export class ServiceDeployIAM extends cdk.Stack { case "EVENT_BRIDGE": delimiter = ":"; break; - // TODO: add cognito } return qualifiers.filter(Boolean).map((qualifier) => { return `${prefix}${delimiter}${qualifier}` })