in source/user-manager/cognito-user.js [561:633]
function getTenantUserPolicy(policyParams) {
var tenantUserPolicyTemplate = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TenantReadOnlyUserTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:DescribeTable",
"dynamodb:CreateTable"
],
"Resource": [policyParams.userTableArn, policyParams.userTableArn + '/*'],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [policyParams.tenantId]
}
}
},
{
"Sid": "ReadWriteOrderTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:DescribeTable",
"dynamodb:CreateTable"
],
"Resource": [policyParams.orderTableArn],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [policyParams.tenantId]
}
}
},
{
"Sid": "TenantReadOnlyProductTable",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:DescribeTable",
"dynamodb:CreateTable"
],
"Resource": [policyParams.productTableArn],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [policyParams.tenantId]
}
}
},
{
"Sid": "TenantCognitoAccess",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminGetUser",
"cognito-idp:ListUsers"
],
"Resource": [policyParams.cognitoArn]
},
]
};
return tenantUserPolicyTemplate;
}