Menu
I am attempting secure my AWS API such that DynamoDB rows can only be accessed by the corresponding authenticated Cognito user by implementing fine grained access control in my Serverless Framework config (serverless.yml)
See example of what I am attempting in the AWS Documentation
I have tried to convert the Cloudformation syntax to Serverless without success; when I try something like the following expression in my policy statement:
Condition:
ForAllValues:StringEquals:
dynamodb:LeadingKeys: ["${cognito-identity.amazonaws.com:sub}"]
I then get an error:
Invalid variable reference syntax for variable cognito-identity.amazonaws.com:sub. You can only reference env vars, options, & files. You can check our docs for more info.
Is this even possible in Serverless? Or is it Cloudformation and SAM only?
705
I was encountring same problem and solve it this way:
Condition:
ForAnyValue:StringLike:
"dynamodb:LeadingKeys":
- !Join ["", [ "$", "{cognito-identity.amazonaws.com:sub}" ]]
That's not very clean, but as per now variables syntax collides with AWS params syntax. See this for more details - https://github.com/serverless/serverless/issues/2601
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
