Skip to content

Commit

Permalink
ensuring that roles pick up region and account id
Browse files Browse the repository at this point in the history
  • Loading branch information
@pius
pius committed Jul 10, 2015
1 parent 0eaaeb0 commit f10c2d4
Show file tree
Hide file tree
Showing 9 changed files with 24 additions and 21 deletions.
14 changes: 7 additions & 7 deletions iam/Cognito_LambdAuthAuth_Role.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,13 @@
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthChangePassword",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthChangePassword",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
]
}
]
Expand Down
12 changes: 6 additions & 6 deletions iam/Cognito_LambdAuthUnauth_Role.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
"arn:aws:lambda:eu-west-1:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthCreateUser",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthVerifyUser",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostUser",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLostPassword",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthResetPassword",
"arn:aws:lambda:<REGION>:<AWS_ACCOUNT_ID>:function:LambdAuthLogin"
]
}
]
Expand Down
2 changes: 1 addition & 1 deletion iam/LambdAuthChangePassword.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
"Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
},
{
"Sid": "",
Expand Down
2 changes: 1 addition & 1 deletion iam/LambdAuthCreateUser.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"dynamodb:PutItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
"Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
},
{
"Effect": "Allow",
Expand Down
4 changes: 2 additions & 2 deletions iam/LambdAuthLogin.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,14 @@
"dynamodb:GetItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
"Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
},
{
"Effect": "Allow",
"Action": [
"cognito-identity:GetOpenIdTokenForDeveloperIdentity"
],
"Resource": "arn:aws:cognito-identity:eu-west-1:<AWS_ACCOUNT_ID>:identitypool/<IDENTITY_POOL_ID>"
"Resource": "arn:aws:cognito-identity:<REGION>:<AWS_ACCOUNT_ID>:identitypool/<IDENTITY_POOL_ID>"
},
{
"Sid": "",
Expand Down
2 changes: 1 addition & 1 deletion iam/LambdAuthLostPassword.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
"Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
},
{
"Effect": "Allow",
Expand Down
2 changes: 1 addition & 1 deletion iam/LambdAuthResetPassword.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
"Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
},
{
"Sid": "",
Expand Down
2 changes: 1 addition & 1 deletion iam/LambdAuthVerifyUser.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"dynamodb:UpdateItem"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-1:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
"Resource": "arn:aws:dynamodb:<REGION>:<AWS_ACCOUNT_ID>:table/<DYNAMODB_TABLE>"
},
{
"Sid": "",
Expand Down
5 changes: 4 additions & 1 deletion init.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ for f in $(ls -1 trust*); do
sed -e "s/<AWS_ACCOUNT_ID>/$AWS_ACCOUNT_ID/g" \
-e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
-e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
-e "s/<REGION>/$REGION/g" \
-e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
$f > edit/$f
echo "Editing trust from $f end"
Expand All @@ -78,6 +79,7 @@ for f in $(ls -1 Cognito*); do
sed -e "s/<AWS_ACCOUNT_ID>/$AWS_ACCOUNT_ID/g" \
-e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
-e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
-e "s/<REGION>/$REGION/g" \
-e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
$f > edit/$f
if [[ $f == *Unauth_* ]]; then
Expand All @@ -93,7 +95,7 @@ for f in $(ls -1 Cognito*); do
echo "Creating role $role end"
done
echo "Setting identity pool roles begin..."
roles='{"unauthenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/'"$unauthRole"'","authenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/'"$authRole"'"}'
roles='{"unauthenticated":"arn:aws:iam::'"$AWS_ACCOUNT_ID"':role/'"$unauthRole"'","authenticated":"arn:aws:iam::'"$AWS_ACCOUNT_ID"':role/'"$authRole"'"}'
echo "Roles: $roles"
aws cognito-identity set-identity-pool-roles \
--identity-pool-id $IDENTITY_POOL_ID \
Expand All @@ -109,6 +111,7 @@ for f in $(ls -1 LambdAuth*); do
-e "s/<DYNAMODB_TABLE>/$DDB_TABLE/g" \
-e "s/<DYNAMODB_EMAIL_INDEX>/$DDB_EMAIL_INDEX/g" \
-e "s/<IDENTITY_POOL_ID>/$IDENTITY_POOL_ID/g" \
-e "s/<REGION>/$REGION/g" \
$f > edit/$f
trust="trust_policy_lambda.json"
aws iam create-role --role-name $role --assume-role-policy-document file://edit/$trust
Expand Down

0 comments on commit f10c2d4

Please sign in to comment.