Is your feature request related to a problem? Please describe.
Currently I was able to add custom role and policies via stacks/CustomResources cloudformation template but I cannot find a way to specify to attach role to the generate lambdaFunctionA
Describe the solution you'd like
I'd like to assign the custom role with policies to the amplify cli generated function "lambdaFunctionA" (amplify function add). Maybe one way is to be able to overwrite the automatically assigned policy but I need guidance if this is possible (but anyway would be better to use custom naming convention than cryptic automatically generated one)
Describe alternatives you've considered
Edited CustomResources.json, tried to add a aws::lambda bloc with same information than generated lambda, but it fails (seems amplify wants to create a new one)
Maybe slightly related to https://github.com/aws-amplify/amplify-cli/issues/36 with the addition of custom config of CustomResources.json
Apart of not being able to add a custom role, is it possible to add to the created role a new policy? My lambda function needs access to S3, and I don't want to manually go to the role and assign it to it
As a workaround, I've been editing the local cloudformation-template.json located at: amplify/backend/function/myFunctionName/myFunctionName-cloudformation-template.json
Under: Resources > lambdaexecutionpolicy > Properties > PolicyDocument
and add a new statement following the format of the existing statement.
EX:
{
"Effect": "Allow",
"Action": [ "cognito-idp:ListUsers"],
"Resource": {
"Fn::Sub": [
"arn:aws:cognito-idp:${region}:${account}:*",
{
"region": { "Ref": "AWS::Region" },
"account": { "Ref": "AWS::AccountId" },
"lambda": { "Ref": "LambdaFunction" }
}
]
}
}
Then $ amplify push
Currently I was able to add custom role and policies via stacks/CustomResources cloudformation template but I cannot find a way to specify to attach role to the generate lambdaFunctionA.
Which role are you referencing? If you are following the directions here (https://aws-amplify.github.io/docs/cli/graphql#add-a-custom-resolver-that-targets-an-aws-lambda-function) then the role that is created is actually the role that AppSync uses to invoke your lambda function and is not the lambda execution role itself. If you want to change the execution policy for the lambda function you should update the role found in amplify/backend/function/myFunctionName/myFunctionName-cloudformation-template.json
as mentioned by @willrust.
I'd like to assign the custom role with policies to the amplify cli generated function "lambdaFunctionA" (amplify function add). Maybe one way is to be able to overwrite the automatically assigned policy but I need guidance if this is possible (but anyway would be better to use custom naming convention than cryptic automatically generated one)
We are working on improving the process of attaching custom policies to execution roles created by the amplify function category so keep an eye out.
Today we released an updated flow as a part of the functions category to pass resource identifiers like the cognito userpool ID or graphql ID (managed and generated by the Amplify CLI) to a lambda function as environment variables and also populate the corresponding lambda execution role to access these resources. You can install the latest version of the CLI and go through the amplify update function
flow to update your existing functions to access your Amplify generated resources in the project.
@kaustavghosh06 This is great. Could you give us an example of how this would work? Not entirely sure what to do with this information... Cheers.
Most helpful comment
@kaustavghosh06 This is great. Could you give us an example of how this would work? Not entirely sure what to do with this information... Cheers.