Hello,
I have an existing cognito user pool. I want a lambda function to execute when a user signs up and confirms their email address. For this, I have used the PostConfirmation lambda trigger.
However, I am seeing a Role Exception on trying to create this trigger, both through serverless framework and through the AWS console.
Following is the exception:
Could somebody please help with what Role/Policy needs to be attached in order to create the trigger? I have read this documentation Update to IAM Role Trust Policy Behavior too but no luck.
I have followed this documentation to create the lambda function with the post confirmation trigger in serverless: https://www.serverless.com/framework/docs/providers/aws/events/cognito-user-pool#using-existing-pools
I have also tried assigning the following role to the lambda function:
Resources:
CognitoRole:
Type: AWS::IAM::Role
Properties:
RoleName: CognitoSignupRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Principal:
Service: "cognito-idp.amazonaws.com"
Action: "sts:AssumeRole"
However, this throws an error stating:
The role defined for the function cannot be assumed by Lambda.
What trust policy needs to be assigned here so the post confirmation trigger gets created?
I have already created the following trust policies while creating the user pool:
const unauthenticatedRole = new iam.Role(
this,
'CognitoDefaultUnauthenticatedRole',
{
assumedBy: new iam.FederatedPrincipal(
'cognito-identity.amazonaws.com',
{
StringEquals: {
'cognito-identity.amazonaws.com:aud': identityPool.ref,
},
'ForAnyValue:StringLike': {
'cognito-identity.amazonaws.com:amr': 'unauthenticated',
},
},
'sts:AssumeRoleWithWebIdentity'
),
}
);
unauthenticatedRole.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
resources: ['*'],
})
);
const authenticatedRole = new iam.Role(
this,
'CognitoDefaultAuthenticatedRole',
{
assumedBy: new iam.FederatedPrincipal(
'cognito-identity.amazonaws.com',
{
StringEquals: {
'cognito-identity.amazonaws.com:aud': identityPool.ref,
},
'ForAnyValue:StringLike': {
'cognito-identity.amazonaws.com:amr': 'authenticated',
},
},
'sts:AssumeRoleWithWebId
)
Hello, Thank you so much for your response. I have already assigned this trust policy to the User Pool while creating it. I am not sure why this error is still being thrown.
I am editing the question to include the Cognito User Pool policies for authenticated and unauthenticated users.