Awesome
serverless-amplify-auth 🔑
Update Policy for Amplify's Auth Role and Unauth Role in the Serverless Framework.
:hammer: Minimum requirements
💾 Installation
Install the plugin via Yarn (recommended)
yarn add --dev serverless-amplify-auth
or via NPM
npm i -D serverless-amplify-auth
You must also add the amplify:GetBackendEnvironment
permission to the IAM Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"amplify:GetBackendEnvironment"
],
"Resource": "*"
}
]
}
🛠️ Configuring the plugin
Add serverless-amplify-auth
to the plugins section of serverless.yml
plugins:
- serverless-amplify-auth
Add the following example config to the custom section of serverless.yml
custom:
amplify-auth:
appId: XXXXXXXXXXXXX # <string (required): Amplify's Application ID>
envName: ${opt:stage, self:provider.stage, 'dev'} # <string (required): Amplify's environment name>
# profile: default # <string (optional): Specify an AWS Profile that can handle Amplify and IAM>
# isClearPolicy: false # <boolean (optional): Delete all policies existing in the Role before updating the Policy>
unauthRole: # <Policy (optional): Write a policy for the unauthRole created by Amplify auth>
- PolicyName: "Unauth"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- appsync:GraphQL
Resource:
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Mutation/fields/createComment
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Query/fields/listComments
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Subscription/fields/onCreateComment
authRole: # <Policy (optional): Write a policy for the authRole created by Amplify auth>
- PolicyName: "Auth"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- appsync:GraphQL
Resource:
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Mutation/*
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Query/*
- arn:aws:appsync:#{AWS::Region}:#{AWS::AccountId}:apis/XXXXXXXXXXXXXXX/types/Subscription/*
In the custom.amplify-auth.authRole
and custom.amplify-auth.unauthRole
fields, you can use #{AWS::AccountId}
and #{AWS::Region}
. The #{AWS::AccountId}
and #{AWS::Region}
can be used to set the value of the AWS Account ID and Region information set in the AWS Profile, which are necessary to build an ARN. 💪
▶️ Usage
serverless deploy
Update the authRole
and unauthRole
policy of Amplify specified by custom.amplify-auth.appId
at the same time of deploying of the functions.
serverless package
Update the authRole
and unauthRole
policy of Amplify specified by custom.amplify-auth.appId
.
🎁 Contributing
If you have any questions, please feel free to reach out to me directly on Twitter nikaera, or feel free to create an Issue or PR for you.