1 Answer
- Newest
- Most votes
- Most comments
1
The Lambda Policy has a resource policy that allows it to be accessed by the Congito user pool in the form of:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": ",<Some SID>",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:<region>:<AWS Account>:function:<Lambda function name>",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cognito-idp:<region>:<AWS Account>:userpool/<User Pool ID>"
}
}
}
]
}
But the Lambda function still executes as lambda.amazonaws.com
and must be authorized as such through the Lambda Execution Role associated to the Lambda function.
answered a year ago
Relevant content
- AWS OFFICIALUpdated a year ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Ahhhh that's much clearer now. The lambda still runs as
lambda.amazonaws.com
but you have to givecognito-idp.amazonaws.com
permission to invoke it. Thanks very much for explaining!