code

Author: devksingh4

cloudformation/iam.yml

@@ -37,7 +37,7 @@ Resources:
               - secretsmanager:GetSecretValue
             Effect: Allow
             Resource:
-              - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config
+              - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-config*
 
           - Action:
               - dynamodb:DescribeLimits
@@ -79,14 +79,19 @@ Resources:
               - dynamodb:DescribeTable
               - dynamodb:DeleteItem
               - dynamodb:GetItem
-              - dynamodb:Scan
               - dynamodb:Query
               - dynamodb:UpdateItem
             Resource:
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-cache
             Condition:
-              StringNotLike:
-                "dynamodb:LeadingKeys": "entra_*"
+              ForAllValues:StringEquals:
+                dynamodb:LeadingKeys:
+                  - testing # add any keys that must be accessible
+              ForAllValues:StringLike:
+                dynamodb:Attributes:
+                  - primaryKey
+                  - expireAt
+                  - "*"
 
           - Sid: DynamoDBIndexAccess
             Effect: Allow
@@ -122,13 +127,9 @@ Resources:
             Principal:
               Service:
                 - lambda.amazonaws.com
-          - Action:
-              - sts:AssumeRole
-            Effect: Allow
-            Resource: !GetAtt EntraLambdaIAMRole.Arn
 
       Policies:
-        - PolicyName: lambda-sqs
+        - PolicyName: lambda-generic
           PolicyDocument:
             Version: "2012-10-17"
             Statement:
@@ -152,6 +153,12 @@ Resources:
             Principal:
               Service:
                 - lambda.amazonaws.com
+          - Effect: Allow
+            Principal:
+              AWS:
+                - Fn::GetAtt: ApiLambdaIAMRole.Arn
+            Action:
+              - sts:AssumeRole
       Policies:
         - PolicyName: lambda-get-entra-secret
           PolicyDocument:
@@ -161,11 +168,10 @@ Resources:
                   - secretsmanager:GetSecretValue
                 Effect: Allow
                 Resource:
-                  - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-entra
+                  - Fn::Sub: arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:infra-core-api-entra*
               - Action:
                   - dynamodb:BatchGetItem
                   - dynamodb:GetItem
-                  - dynamodb:Scan
                   - dynamodb:Query
                   - dynamodb:DescribeTable
                   - dynamodb:BatchWriteItem
@@ -177,8 +183,14 @@ Resources:
                 Resource:
                   - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-cache
                 Condition:
-                  "StringLike":
-                    "dynamodb:LeadingKeys": "entra_*"
+                  ForAllValues:StringEquals:
+                    dynamodb:LeadingKeys:
+                      - entra_id_access_token # add any keys that must be accessible
+                  ForAllValues:StringLike:
+                    dynamodb:Attributes:
+                      - primaryKey
+                      - expireAt
+                      - "*"
 
   # SQS Lambda IAM Role
   SqsLambdaIAMRole:

src/api/functions/sts.ts

@@ -6,7 +6,7 @@ import { duration } from "moment";
 
 export async function getRoleCredentials(
   roleArn: string,
-  durationSeconds: number = 60,
+  durationSeconds: number = 900,
 ) {
   const client = new STSClient({ region: genericConfig.AwsRegion });
   const command = new AssumeRoleCommand({