Grant DescribeUserPoolClient to the backend Lambda

gh-274 Taken from the workaround in the issue description here: aws/aws-cdk#7112. My error noted here: aws/aws-cdk#7112 (comment)
douglasnaphas · Feb 19, 2021 · 65028c7 · 65028c7
1 parent 108b3ab
commit 65028c7
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/lib/madliberation-stack.ts b/lib/madliberation-stack.ts
@@ -10,6 +10,7 @@ import * as cognito from "@aws-cdk/aws-cognito";
 import { UserPool } from "@aws-cdk/aws-cognito";
 const stackname = require("@cdk-turnkey/stackname");
 const crypto = require("crypto");
+import { Effect, PolicyStatement } from "@aws-cdk/aws-iam";
 
 export class MadliberationStack extends cdk.Stack {
   constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
@@ -137,6 +138,16 @@ export class MadliberationStack extends cdk.Stack {
       timeout: cdk.Duration.seconds(20),
     });
 
+    fn.addToRolePolicy(
+      new PolicyStatement({
+        effect: Effect.ALLOW,
+        actions: ["cognito-idp:DescribeUserPoolClient"],
+        resources: [
+          `arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}`,
+        ],
+      })
+    );
+
     clientSecretBucket.grantRead(fn);
 
     const lambdaApi = new apigw.LambdaRestApi(this, "Endpoint", {