in source/user-manager/cognito-user.js [471:554]
function getTenantAdminPolicy(policyParams) {
var tenantAdminPolicyTemplate = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TenantAdminUserTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:DescribeTable",
"dynamodb:CreateTable"
],
"Resource": [policyParams.userTableArn, policyParams.userTableArn + '/*'],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [policyParams.tenantId]
}
}
},
{
"Sid": "TenantAdminOrderTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:DescribeTable",
"dynamodb:CreateTable"
],
"Resource": [policyParams.orderTableArn],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [policyParams.tenantId]
}
}
},
{
"Sid": "TenantAdminProductTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:DescribeTable",
"dynamodb:CreateTable"
],
"Resource": [policyParams.productTableArn]
// No request condiions because we want the user
// to create them in Lab 3
},
{
"Sid": "TenantCognitoAccess",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminGetUser",
"cognito-idp:ListUsers",
"cognito-idp:AdminUpdateUserAttributes"
],
"Resource": [policyParams.cognitoArn]
},
]
};
return tenantAdminPolicyTemplate;
}