1 Answer
- Newest
- Most votes
- Most comments
1
Your PolicyDocument looks correct to me, but IAM permissions are sometimes a real PITA to get right. Looking more closely at the error, it seems to indicate that it's complaining about the resource not being "*". Maybe Cognito doesn't support resource-level permissions and you have to use the wildcard; I looked in the Cognito docs but I can't find a clear answer.
Suggestion: change
Resource:
- "arn:aws:cognito-idp:*:*:userpool/*"
to
Resource:
- "*"
answered 2 years ago
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
"Actions defined by Amazon Cognito User Pools" documented at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html where the row for "CreateUserPool" indicates no value in Resource types column, meaning you must specify all resources ("*") in the Resource element of your policy statement.