Stamping user metadata
This page shows how user actions (for example creates or updates) on objects can be audited, tracked, or attributed.
Depot Stamps and Cognito integration
Depot has a Stamps feature which can be used to automatically set properties for API actions such as creates, updates, or deletes. Having access to the before and update states of the operation is useful for user attribution and auditing, as it can effectively prevent direct updates to the user property (which might otherwise ruin the audit log).
The requirements to use this feature are:
- A Depot Cognito Location exists in the environment
- A User schema named
Userexists for the target Dataset - Auth is linked from the Cognito Location to the Dataset.
Here is a sample in CDK for the Cognito Location and Dataset:
const cognitoRole = new Role(this, 'CognitoRole', {
assumedBy: new AccountPrincipal(depotEnvironment.accountId),
inlinePolicies: {
cognito: new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['cognito-idp:*'],
resources: ["arn:aws:cognito-idp:eu-west-1:1234566789012:userpool/eu-west-1_ZzzzzZZ"],
})
]
}),
},
});
const cognito = new Location.Cognito(this, "CognitoLocation", {
environment: depotEnvironment,
name: "cognito",
roleArn: cognitoRole.roleArn,
userPoolId: "eu-west-1_ZzzzzZZ",
clientId: "abc123456"
});
new Dataset(this, "Dataset", {
environment: depotEnvironment,
package: pkg,
name: "example",
location: snowflakeLocation,
auth: {
cognito: cognito.cognitoAuth
},
executors: [
{ purposes: [DatasetExecutorPurpose.TRANSACTION], executor: transactionExecutor },
{ purposes: [DatasetExecutorPurpose.API], executor: apiExecutor }
]
});
The schema for an object would get a user property like this:
user:
type: User
stamps:
- on: [ create, update ]
then: caller
A SQL query can then use USER_ID in a select statement to get the User's ID when data is queried with a View for
example.
example.ui.ObjectHistory:
version: 2
type: view
properties:
someId:
type: string
anotherId:
type: string
updated:
type: datetime
user:
type: User
The
user:
type: User
gets expanded in GraphQL queries. For example:
query ListObjectHistory($filter: String, $sort: [String]) {
listexampleUiObjectHistories(filter: $filter, sort: $sort) {
items {
someId
anotherId
updated
user {
name
email
__typename
}
__typename
}
__typename
}
}