I want to resolve the errors I encounter while configuring AWS Lambda functions as triggers in Amazon Cognito.
Resolution
The following are common errors to troubleshoot when you use Lambda triggers in Amazon Cognito.
"PreSignUp invocation failed due to error AccessDeniedException."
Note: The trigger type is mentioned in the error message. For example, a Lambda function that's attached as a PreSignUp trigger to your user pool responds with the preceding error.
Reason for the error
When you add a Lambda function as a trigger to your user pool from the Amazon Cognito console, Amazon Cognito performs the following actions:
- Adds the required permission to the function's resource policy. This resource policy allows Amazon Cognito to invoke the function in case of certain event trigger types.
- Displays the following message: "Permission to invoke Lambda function - You are granting Amazon Cognito permission to invoke this Lambda function on your behalf. Amazon Cognito will add a resource-based policy statement to the function."
This error also occurs when you delete the function that you added as a trigger. If you delete a Lambda trigger, then you must update the corresponding trigger in the user pool. For example, when you delete the post authentication trigger, you must set the Post authentication trigger in the corresponding user pool to none.
Resolving the error
When you create a trigger outside the Amazon Cognito console, you must explicitly add permissions as you assign the trigger to the user pool. To add permissions, use an AWS SDK, AWS Command Line Interface (AWS CLI), or Amazon CloudFormation.
When you add permissions, Amazon Cognito invokes the function only on behalf of your user pool and account. To add permissions from the Lambda console, follow the steps in Using resource-based policies for Lambda. You can also use the AddPermission operation.
The following is an example Lambda resource-based policy that allows Amazon Cognito to invoke a function. The user pool is in the aws:SourceArn condition and the account is in the aws:SourceAccount condition.
Note: Replace example_lambda_function_arn, example_account_number, and example_user_pool_arn with your own values.
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "lambda-allow-cognito",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "example_lambda_function_arn",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "example_account_number"
},
"ArnLike": {
"AWS:SourceArn": "example_user_pool_arn"
}
}
}
]
}
"Error in authentication, please contact the app owner."
Reason for the error
This error occurs for two reasons:
- Except for custom sender Lambda triggers, Amazon Cognito invokes Lambda functions synchronously. The function must respond within 5 seconds. If the function doesn't respond, then Amazon Cognito retries the call. After three unsuccessful attempts, the function times out. You can't change the 5-second timeout value.
- If Amazon Cognito doesn't get a response from the trigger in 5 seconds, then after three unsuccessful attempts, Amazon Cognito returns the error.
Resolving the error
If the function times out, then apply best practices for working with Lambda functions to optimize the function. You can have the Lambda function that's associated with the user pool asynchronously call a second Lambda function. With this setup, the functions can perform all required actions without timing out.
"PreSignUp failed with error Syntax error in module lambda_function."
Reason for the error
Amazon Cognito returns this error when there are any syntax errors in your Lambda function.
Resolving the error
Recheck the function code, and correct any syntax errors.
"PreSignUp failed with error Handler 'lambda_handler'; missing on module; lambda_function."
Reason for the error
The function's runtime settings include a handler parameter. If incorrect information or syntax is set for HandlerInfo, then the function can't run and results in this error.
Resolving the error
Configure the handler parameter in your function's configuration to tell the Lambda runtime which handler method to invoke.
When you configure a function in Python, the handler setting value is the file name and the handler module name separated by a dot. For example, main.Handler calls the handler method that's defined in main.py.
For more information about handler syntax, see Modifying the runtime environment.
Related information
Important considerations
Custom AWS Lambda runtimes