By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What trust role/policy to assign to create a lambda Post Confirmation Trigger in Cognito?

0

Hello,

I have an existing cognito user pool. I want a lambda function to execute when a user signs up and confirms their email address. For this, I have used the PostConfirmation lambda trigger. However, I am seeing a Role Exception on trying to create this trigger, both through serverless framework and through the AWS console.

Following is the exception: InvalidSmsRoleException

Could somebody please help with what Role/Policy needs to be attached in order to create the trigger? I have read this documentation Update to IAM Role Trust Policy Behavior too but no luck.

I have followed this documentation to create the lambda function with the post confirmation trigger in serverless: https://www.serverless.com/framework/docs/providers/aws/events/cognito-user-pool#using-existing-pools

I have also tried assigning the following role to the lambda function:

Resources:
    CognitoRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: CognitoSignupRole        
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: "Allow"
              Principal:
                Service: "cognito-idp.amazonaws.com"
              Action: "sts:AssumeRole"

However, this throws an error stating: The role defined for the function cannot be assumed by Lambda.

What trust policy needs to be assigned here so the post confirmation trigger gets created?

I have already created the following trust policies while creating the user pool:

const unauthenticatedRole = new iam.Role(
      this,
      'CognitoDefaultUnauthenticatedRole',
      {
        assumedBy: new iam.FederatedPrincipal(
          'cognito-identity.amazonaws.com',
          {
            StringEquals: {
              'cognito-identity.amazonaws.com:aud': identityPool.ref,
            },
            'ForAnyValue:StringLike': {
              'cognito-identity.amazonaws.com:amr': 'unauthenticated',
            },
          },
          'sts:AssumeRoleWithWebIdentity'
        ),
      }
    );

    unauthenticatedRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ['mobileanalytics:PutEvents', 'cognito-sync:*'],
        resources: ['*'],
      })
    );

    const authenticatedRole = new iam.Role(
      this,
      'CognitoDefaultAuthenticatedRole',
      {
        assumedBy: new iam.FederatedPrincipal(
          'cognito-identity.amazonaws.com',
          {
            StringEquals: {
              'cognito-identity.amazonaws.com:aud': identityPool.ref,
            },
            'ForAnyValue:StringLike': {
              'cognito-identity.amazonaws.com:amr': 'authenticated',
            },
          },
          'sts:AssumeRoleWithWebId
)
Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon CognitoIAM Policies
Language
English
shwetajoshi0654423
asked a year ago395 views
1 Answer
1

Since it is the users registered in the user pool that invoke Lambda, the following trust policy may be necessary.
https://docs.aws.amazon.com/ja_jp/cognito/latest/developerguide/role-trust-and-permissions.html

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
  • shwetajoshi0654423
    a year ago

    Hello, Thank you so much for your response. I have already assigned this trust policy to the User Pool while creating it. I am not sure why this error is still being thrown.

    I am editing the question to include the Cognito User Pool policies for authenticated and unauthenticated users.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content