By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito Post Authentication Trigger Not Working

0

I am trying to invoke a lambda function upon user login with AWS Cognito. I have created a post authentication trigger for the cognito user pool that should invoke my lambda function, however when I try to test this by logging into cognito, Cloudwatch Logs show that the lambda function is never invoked. I have tested the lambda function with the trigger event simulated and it works completely fine, my best guess is that there is an issue with the trigger (For context I am trying to build a log in page. A user should sign in via cognito, and the lambda function should grab the username from the trigger event which is then used to access a dynamoDB database). I am a student and this is my first time working with AWS so the issue might be obvious, but if anyone knows a solution it would be greatly appreciated!

Topics
ServerlessComputeSecurity, Identity, & ComplianceDatabaseManagement & Governance
Tags
AWS LambdaAmazon CognitoAmazon DynamoDBAmazon CloudWatch Logs
Language
English
Maddoxrb
asked 8 months ago815 views
1 Answer
0

Hello,

Thank you for posting on AWS re:Post!

I understood that you have added post authentication lambda trigger to your userpool but when you have tried testing by logging in to Cognito, it didn't got invoked.

Firstly, I would like to provide you below AWS reference document for understanding the important consideration while using lambda trigger with Cognito.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html#important-lambda-considerations

You have mentioned that post authentication lambda trigger didn't got invoked after authentication. In order for Cognito to invoke lambda function, you need to associated following resource based policy to your lambda function.

{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "lambda-allow-cognito",
            "Effect": "Allow",
            "Principal": {
                "Service": "cognito-idp.amazonaws.com"
            },
            "Action": "lambda:InvokeFunction",
            "Resource": "<your Lambda function ARN>",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceAccount": "<your account number>"
                },
                "ArnLike": {
                    "AWS:SourceArn": "<your user pool ARN>"
                }
            }
        }
    ]
}

Please attach this resource based policy to your lambda function to allow Cognito userpool to invoke the function.

I hope this information will be helpful to you.

Thank you!!

AWS
SUPPORT ENGINEER
Vishal_J
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content