Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

What trust role/policy to assign to create a lambda Post Confirmation Trigger in Cognito?

0

Hello,

I have an existing cognito user pool. I want a lambda function to execute when a user signs up and confirms their email address. For this, I have used the PostConfirmation lambda trigger. However, I am seeing a Role Exception on trying to create this trigger, both through serverless framework and through the AWS console.

Following is the exception: InvalidSmsRoleException

Could somebody please help with what Role/Policy needs to be attached in order to create the trigger? I have read this documentation Update to IAM Role Trust Policy Behavior too but no luck.

I have followed this documentation to create the lambda function with the post confirmation trigger in serverless: https://www.serverless.com/framework/docs/providers/aws/events/cognito-user-pool#using-existing-pools

I have also tried assigning the following role to the lambda function:

Resources:
    CognitoRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: CognitoSignupRole        
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: "Allow"
              Principal:
                Service: "cognito-idp.amazonaws.com"
              Action: "sts:AssumeRole"

However, this throws an error stating: The role defined for the function cannot be assumed by Lambda.

What trust policy needs to be assigned here so the post confirmation trigger gets created?

I have already created the following trust policies while creating the user pool:

const unauthenticatedRole = new iam.Role(
      this,
      'CognitoDefaultUnauthenticatedRole',
      {
        assumedBy: new iam.FederatedPrincipal(
          'cognito-identity.amazonaws.com',
          {
            StringEquals: {
              'cognito-identity.amazonaws.com:aud': identityPool.ref,
            },
            'ForAnyValue:StringLike': {
              'cognito-identity.amazonaws.com:amr': 'unauthenticated',
            },
          },
          'sts:AssumeRoleWithWebIdentity'
        ),
      }
    );

    unauthenticatedRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
        resources: ['*'],
      })
    );

    const authenticatedRole = new iam.Role(
      this,
      'CognitoDefaultAuthenticatedRole',
      {
        assumedBy: new iam.FederatedPrincipal(
          'cognito-identity.amazonaws.com',
          {
            StringEquals: {
              'cognito-identity.amazonaws.com:aud': identityPool.ref,
            },
            'ForAnyValue:StringLike': {
              'cognito-identity.amazonaws.com:amr': 'authenticated',
            },
          },
          'sts:AssumeRoleWithWebId
)
Themen
ServerlosKalkulationSicherheit, Identität & Konformität
Tags
AWS LambdaAmazon CognitoIAM-Richtlinien
Sprache
English
shwetajoshi0654423
gefragt vor einem Jahr403 Aufrufe
1 Antwort
1

Since it is the users registered in the user pool that invoke Lambda, the following trust policy may be necessary.
https://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/role-trust-and-permissions.html

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor einem Jahr
  • shwetajoshi0654423
    vor einem Jahr

    Hello, Thank you so much for your response. I have already assigned this trust policy to the User Pool while creating it. I am not sure why this error is still being thrown.

    I am editing the question to include the Cognito User Pool policies for authenticated and unauthenticated users.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt