1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
1
The Lambda Policy has a resource policy that allows it to be accessed by the Congito user pool in the form of:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": ",<Some SID>",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:<region>:<AWS Account>:function:<Lambda function name>",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cognito-idp:<region>:<AWS Account>:userpool/<User Pool ID>"
}
}
}
]
}
But the Lambda function still executes as lambda.amazonaws.com
and must be authorized as such through the Lambda Execution Role associated to the Lambda function.
respondido há um ano
Ahhhh that's much clearer now. The lambda still runs as
lambda.amazonaws.com
but you have to givecognito-idp.amazonaws.com
permission to invoke it. Thanks very much for explaining!