Page updated Jan 16, 2024

Override Amplify-generated project-level IAM resources

amplify override project
1amplify override project

Run the command above to override Amplify-generated project-level resources, such as IAM roles for authenticated and unauthenticated.

Warning: Due to the deep dependencies on the authenticated and unauthenticated user roles, it is recommended to ONLY modify these resources at the beginning of your project, when no other resources are added yet.

The command creates a new overrides.ts file under amplify/backend/awscloudformation/ which provides you the Amplify-generated resources as CDK constructs.

Apply all the overrides in the override(...) function. For example to rename and add a path for authenticated users' IAM role:

import { AmplifyRootStackTemplate } from '@aws-amplify/cli-extensibility-helper'; export function override(resources: AmplifyRootStackTemplate) { resources.authRole.roleName = "myCustomName" resources.authRole.path = "/<my-organization>/" // Note: CloudFormation limits you from updating the path if you don't recreate the resource. // Changing the role name will recreate the resource. }
1import { AmplifyRootStackTemplate } from '@aws-amplify/cli-extensibility-helper';
2
3export function override(resources: AmplifyRootStackTemplate) {
4 resources.authRole.roleName = "myCustomName"
5 resources.authRole.path = "/<my-organization>/"
6 // Note: CloudFormation limits you from updating the path if you don't recreate the resource.
7 // Changing the role name will recreate the resource.
8}

You can override the following project-level resources that Amplify generates:

Amplify-generated resourceDescription
authRoleThe IAM role for authenticated access to your app backend
unauthRoleThe IAM role for authenticated or guest access to your app backend

Example: Modify authRole's IAM policies

For example, use amplify override project to further modify the authRole policy for Geo category beyond the default policy statements:

import { AmplifyRootStackTemplate } from "@aws-amplify/cli-extensibility-helper"; export function override(resources: AmplifyRootStackTemplate) { const authRole = resources.authRole; const basePolicies = Array.isArray(authRole.policies) ? authRole.policies : [authRole.policies]; authRole.policies = [ ...basePolicies, { policyName: "amplify-permissions-custom-resources", policyDocument: { Version: "2012-10-17", Statement: [ //? Route calculator { Resource: "<ARN of Geo>", Action: ["geo:CalculateRoute*"], Effect: "Allow", }, ], }, }, ]; }
1import { AmplifyRootStackTemplate } from "@aws-amplify/cli-extensibility-helper";
2
3export function override(resources: AmplifyRootStackTemplate) {
4 const authRole = resources.authRole;
5
6 const basePolicies = Array.isArray(authRole.policies)
7 ? authRole.policies
8 : [authRole.policies];
9
10 authRole.policies = [
11 ...basePolicies,
12 {
13 policyName: "amplify-permissions-custom-resources",
14 policyDocument: {
15 Version: "2012-10-17",
16 Statement: [
17 //? Route calculator
18 {
19 Resource: "<ARN of Geo>",
20 Action: ["geo:CalculateRoute*"],
21 Effect: "Allow",
22 },
23 ],
24 },
25 },
26 ];
27}