Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

What trust role/policy to assign to create a lambda Post Confirmation Trigger in Cognito?

0

Hello,

I have an existing cognito user pool. I want a lambda function to execute when a user signs up and confirms their email address. For this, I have used the PostConfirmation lambda trigger. However, I am seeing a Role Exception on trying to create this trigger, both through serverless framework and through the AWS console.

Following is the exception: InvalidSmsRoleException

Could somebody please help with what Role/Policy needs to be attached in order to create the trigger? I have read this documentation Update to IAM Role Trust Policy Behavior too but no luck.

I have followed this documentation to create the lambda function with the post confirmation trigger in serverless: https://www.serverless.com/framework/docs/providers/aws/events/cognito-user-pool#using-existing-pools

I have also tried assigning the following role to the lambda function:

Resources:
    CognitoRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: CognitoSignupRole        
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: "Allow"
              Principal:
                Service: "cognito-idp.amazonaws.com"
              Action: "sts:AssumeRole"

However, this throws an error stating: The role defined for the function cannot be assumed by Lambda.

What trust policy needs to be assigned here so the post confirmation trigger gets created?

I have already created the following trust policies while creating the user pool:

const unauthenticatedRole = new iam.Role(
      this,
      'CognitoDefaultUnauthenticatedRole',
      {
        assumedBy: new iam.FederatedPrincipal(
          'cognito-identity.amazonaws.com',
          {
            StringEquals: {
              'cognito-identity.amazonaws.com:aud': identityPool.ref,
            },
            'ForAnyValue:StringLike': {
              'cognito-identity.amazonaws.com:amr': 'unauthenticated',
            },
          },
          'sts:AssumeRoleWithWebIdentity'
        ),
      }
    );

    unauthenticatedRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
        resources: ['*'],
      })
    );

    const authenticatedRole = new iam.Role(
      this,
      'CognitoDefaultAuthenticatedRole',
      {
        assumedBy: new iam.FederatedPrincipal(
          'cognito-identity.amazonaws.com',
          {
            StringEquals: {
              'cognito-identity.amazonaws.com:aud': identityPool.ref,
            },
            'ForAnyValue:StringLike': {
              'cognito-identity.amazonaws.com:amr': 'authenticated',
            },
          },
          'sts:AssumeRoleWithWebId
)
Argomenti
ServerlessComputazionaliSicurezza, identità e conformità
Tag
AWS LambdaAmazon CognitoPolitiche IAM
Lingua
English
shwetajoshi0654423
posta un anno fa405 visualizzazioni
1 Risposta
1

Since it is the users registered in the user pool that invoke Lambda, the following trust policy may be necessary.
https://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/role-trust-and-permissions.html

profile picture
ESPERTO
Riku_Kobayashi
con risposta un anno fa
  • shwetajoshi0654423
    un anno fa

    Hello, Thank you so much for your response. I have already assigned this trust policy to the User Pool while creating it. I am not sure why this error is still being thrown.

    I am editing the question to include the Cognito User Pool policies for authenticated and unauthenticated users.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente