Update Policy for Amplify's Auth Role and Unauth Role in the Serverless Framework.
Install the plugin via Yarn (recommended)
yarn add --dev serverless-amplify-auth
or via NPM
npm i -D serverless-amplify-auth
You must also add the amplify:GetBackendEnvironment
permission to the IAM Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"amplify:GetBackendEnvironment"
],
"Resource": "*"
}
]
}
Add serverless-amplify-auth
to the plugins section of serverless.yml
plugins:
- serverless-amplify-auth
Add the following example config to the custom section of serverless.yml
custom:
amplify-auth:
appId: XXXXXXXXXXXXX # <string (required): Amplify's Application ID>
envName: ${opt:stage, self:provider.stage, 'dev'} # <string (required): Amplify's environment name>
# profile: default # <string (optional): Specify an AWS Profile that can handle Amplify and IAM>
# isClearPolicy: false # <boolean (optional): Delete all policies existing in the Role before updating the Policy>
unauthRole: # <Policy (optional): Write a policy for the unauthRole created by Amplify auth>
- PolicyName: "Unauth"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- appsync:GraphQL
Resource:
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Mutation/fields/createComment
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Query/fields/listComments
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Subscription/fields/onCreateComment
authRole: # <Policy (optional): Write a policy for the authRole created by Amplify auth>
- PolicyName: "Auth"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- appsync:GraphQL
Resource:
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Mutation/*
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Query/*
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Subscription/*
In the custom.amplify-auth.authRole
and custom.amplify-auth.unauthRole
fields, you can use #{AWS::AccountId}
and #{AWS::Region}
. The #{AWS::AccountId}
and #{AWS::Region}
can be used to set the value of the AWS Account ID and Region information set in the AWS Profile, which are necessary to build an ARN. ๐ช
Update the authRole
and unauthRole
policy of Amplify specified by custom.amplify-auth.appId
at the same time of deploying of the functions.
Update the authRole
and unauthRole
policy of Amplify specified by custom.amplify-auth.appId
.
If you have any questions, please feel free to reach out to me directly on Twitter nikaera, or feel free to create an Issue or PR for you.