How to send EventBridge PutEvents from web client using Cognito and AWS SDK JavaScript v3?

Here is the code:

import { EventBridgeClient, PutEventsCommand } from "@aws-sdk/client-eventbridge";
import { fromCognitoIdentityPool } from '@aws-sdk/credential-provider-cognito-identity';
import { CognitoIdentityClient } from '@aws-sdk/client-cognito-identity';

const IDENTITY_POOL_ID = 'us-east-1:xxx';
const REGION = 'us-east-1';

const ebClient = new EventBridgeClient({
    region: REGION,
    credentials: fromCognitoIdentityPool({
        client: new CognitoIdentityClient({ region: REGION }),
        identityPoolId: IDENTITY_POOL_ID
    })
});

async function sendEvent() {
    const events = {
        Entries: [
            {
                DetailType: 'SubmitOrder',
                Detail: JSON.stringify({
                    orderId: 'abc',
                    // ...
                }),
                Source: 'com.org.app1',
            },
        ],
    };

    try {
        const data = await ebClient.send(new PutEventsCommand(events));
        console.log("Success, event sent; requestID:", data);
    } catch (err) {
        console.log('Error', err);
    }
}

The permissions for the Unauthorized Cognito Identity Pool role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:us-east-1:xxxx:event-bus/default"
        }
    ]
}

Trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:xxxx"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "unauthenticated"
                }
            }
        }
    ]
}

The error:

AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/Cognito_XXXidentitypoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: events:PutEvents on resource: arn:aws:events:us-east-1:xxxx:event-bus/default because no session policy allows the events:PutEvents action

rain-mtucker
vor einem Jahr
Here is a sample project that shows this error: https://github.com/rmtuckerphx/web-eventbridge-cognito
Hector Fernandez - Community Builder
vor einem Jahr
I have the same problems with Secret Manager, I update the default role with the permissions and any happens. Do you resolve this issue?

Themen

Sicherheit, Identität & Konformität Serverlos Anwendungsintegration

Relevanter Inhalt

Wie ändere ich die Attribute eines Amazon Cognito-Benutzerpools nach der Erstellung?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie verwende ich Ebenen, um die neueste Version des AWS SDK für JavaScript in meine Node.js-Lambda-Funktion zu integrieren?
AWS OFFICIALAktualisiert vor 5 Monaten
Wie kann ich die Signatur eines Amazon Cognito-JSON-Web-Tokens dekodieren und überprüfen?
AWS OFFICIALAktualisiert vor 2 Jahren
Warum gibt meine CloudFront-Distribution die Antwort „X-Cache:Miss from CloudFront“ zurück?
AWS OFFICIALAktualisiert vor 2 Jahren