README
¶
Twisp Client Custom Resource
Twisp has the ability to exchange IAM tokens for OIDC, thereby allowing AWS identities to have permissions directly in Twisp.
This is a convenience lambda you can install in your system that can create Twisp Clients on behalf of other identities that will use Twisp.
Usage
-
package up
cmd/resourceas a AWS lambda and deploy using your preferred tooling for each region you operate in. -
create a client in the Twisp console with sufficient privileges to create clients, in each tenant & region you operate in.
mutation InfraClientCreator(
$principal: String! = "<role arn for cmd/resource lambda>"
) {
auth {
createClient(
input: {
principal: $principal
policies: [
{
effect: ALLOW
actions: [SELECT, DELETE, UPDATE, INSERT]
resources: ["system.Client.*"]
}
]
}
) {
principal
}
}
}
- You may now use this as an AWS custom resource in your CDK/Cloudformation to create Twisp Clients for other entities.
Resources:
CreateClientForLambdaA:
Type: 'Custom:TwispClientCreator'
Properties:
# The custom resource lambda ARN, perhaps via parameter
ServiceToken:
Ref: 'TwispCreatorLambdaArn'
# x-twisp-account-id
AccountId: 'prod'
Region: !Sub ${AWS::Region}
Client:
# Lambda Role to create client for
principal: !Sub ${LambdaARole.Arn}
name: 'lambda A client'
policies:
- effect: "ALLOW"
action: ["INSERT", "UPDATE", "SELECT"]
resources: ["financial.*"]
assertions:
isTrue: true
Directories
Click to show internal directories.
Click to hide internal directories.