What is the user principal of a cognito preauth function?

0

When you have to give IAM permissions to a cognito preauth trigger, is the role you assign assumed by 'lambda.amazonaws.com' like any other lambda? Or are triggers run by the cognito service principle, 'cognito-idp.amazonaws.com' ?

I need to give my lambda permission to do dynamodb:GetItem on a specific table (by ARN) and it's not working. It might be not working for some other reason than this. I think the answer is it's still lambda.amazonaws.com but wanted to double check, mainly because I can't find what cognito-idp.amazonaws.com is used for.

profile picture
wz2b
asked a year ago261 views
1 Answer
1
Accepted Answer

The Lambda Policy has a resource policy that allows it to be accessed by the Congito user pool in the form of:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": ",<Some SID>",
      "Effect": "Allow",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:<region>:<AWS Account>:function:<Lambda function name>",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cognito-idp:<region>:<AWS Account>:userpool/<User Pool ID>"
        }
      }
    }
  ]
}

But the Lambda function still executes as lambda.amazonaws.com and must be authorized as such through the Lambda Execution Role associated to the Lambda function.

AWS
answered a year ago
  • Ahhhh that's much clearer now. The lambda still runs as lambda.amazonaws.com but you have to give cognito-idp.amazonaws.com permission to invoke it. Thanks very much for explaining!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions