TL;DR: Can Amplify CloudFormation template for a Post Authentication function configuration been manually changed to give permissions to (for example) IoT attachPrincipalPolicy ?
(TL; DR:是否 可以手动更改用于Post Authentication功能配置的Amplify CloudFormation模板,以授予(例如) IoT AttachPrincipalPolicy权限 ?)
I am using AWS Amplify and the amplify CLI to setup a new project.
(我使用AWS放大和的amplify CLI设置一个新的项目。)
Overall, Amplify has made things very easy however I am stuck with this feeling that you can only go "so far" with Amplify before things become difficult or impossible to do through an Amplify controlled project. (总体而言,Amplify使事情变得非常容易,但是我一直坚信,只有在Amplify受控项目使事情变得困难或不可能完成之前,您才能对Amplify进行“深入了解”。)
The use case I am interested in has to do with setting up PubSub with IoT - the AWS instructions cover how to get this working but I would call this more "proof of concept" than "something that you should use in anything close to production" - it involves manually calling aws iot attach-principal-policy --policy-name 'myIoTPolicy' --principal '<YOUR_COGNITO_IDENTITY_ID>' on every single Cognito identity.
(我感兴趣的用例与使用IoT设置PubSub 指令介绍了如何使之工作,但我将其称为“概念证明”,而不是“在生产环境中应使用的东西” -它涉及在每个单个Cognito身份上手动调用aws iot attach-principal-policy --policy-name 'myIoTPolicy' --principal '<YOUR_COGNITO_IDENTITY_ID>' 。)
Instead what I would like to do is use a Post Authentication lambda function / event hook to call the attachPrincipalPolicy when a user logs into the website (potentially first checking to see if the policy is already attached!).
(相反,我想做的是当用户登录网站时使用Post Authentication lambda函数/事件挂钩来调用attachPrincipalPolicy (可能首先检查该策略是否已附加!)。)
Perhaps obviously this does not "just work", I tested
(我测试了一下,也许这显然行不通)
var iot = new AWS.Iot();
var params = {
policyName: 'myIoTPolicy', /* required */
principal: 'XYZ123XYZ123' /* required */
};
try {
iot.attachPrincipalPolicy(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
callback(null, event);
});
} catch (e) {
console.log(e); // successful response
}
and ended up with an error like
(并最终出现类似的错误)
AccessDeniedException: User: arn:aws:sts::123123123123123:assumed-role/project82382PostAuthentication-master/project82382PostAuthentication-master is not authorized to perform: iot:AttachPrincipalPolicy on resource: XYZ123XYZ123
The heart of the question is, how do I give this lambda function permissions in a way that is going to not break when / if I modify the project using the Amplify CLI?
(问题的核心是,当/如果我使用Amplify CLI修改项目时,如何以不中断的方式授予此lambda函数权限?)
For example, I could in theory change project82382PostAuthentication-cloudformation-template.json and add some sort of configuration that would give permission to execute iot:AttachPrincipalPolicy , but this would then be removed I'd think if / when I change configuration of something causing Amplify CLI to regenerate the CloudFormation templates? (例如,从理论上讲,我可以更改project82382PostAuthentication-cloudformation-template.json并添加某种配置,该配置将授予执行iot:AttachPrincipalPolicy权限,但是我想如果/当我更改引起某些问题的配置时,将其删除放大CLI以重新生成CloudFormation模板吗?)
ask by shoelessone translate from so 
