Override Amplify-generated project-level IAM resources
1amplify override project
Run the command above to override Amplify-generated project-level resources, such as IAM roles for authenticated and unauthenticated.
The command creates a new overrides.ts
file under amplify/backend/awscloudformation/
which provides you the Amplify-generated resources as CDK constructs.
Apply all the overrides in the override(...)
function. For example to rename and add a path for authenticated users' IAM role:
1import { AmplifyRootStackTemplate } from '@aws-amplify/cli-extensibility-helper';2
3export function override(resources: AmplifyRootStackTemplate) {4 resources.authRole.roleName = "myCustomName"5 resources.authRole.path = "/<my-organization>/"6 // Note: CloudFormation limits you from updating the path if you don't recreate the resource.7 // Changing the role name will recreate the resource.8}
You can override the following project-level resources that Amplify generates:
Amplify-generated resource | Description |
---|---|
authRole | The IAM role for authenticated access to your app backend |
unauthRole | The IAM role for authenticated or guest access to your app backend |
Example: Modify authRole's IAM policies
For example, use amplify override project
to further modify the authRole policy for Geo category beyond the default policy statements:
1import { AmplifyRootStackTemplate } from "@aws-amplify/cli-extensibility-helper";2
3export function override(resources: AmplifyRootStackTemplate) {4 const authRole = resources.authRole;5
6 const basePolicies = Array.isArray(authRole.policies)7 ? authRole.policies8 : [authRole.policies];9
10 authRole.policies = [11 ...basePolicies,12 {13 policyName: "amplify-permissions-custom-resources",14 policyDocument: {15 Version: "2012-10-17",16 Statement: [17 //? Route calculator18 {19 Resource: "<ARN of Geo>",20 Action: ["geo:CalculateRoute*"],21 Effect: "Allow",22 },23 ],24 },25 },26 ];27}