What is the user principal of a cognito preauth function?
When you have to give IAM permissions to a cognito preauth trigger, is the role you assign assumed by 'lambda.amazonaws.com' like any other lambda? Or are triggers run by the cognito service principle, 'cognito-idp.amazonaws.com' ?
I need to give my lambda permission to do dynamodb:GetItem on a specific table (by ARN) and it's not working. It might be not working for some other reason than this. I think the answer is it's still lambda.amazonaws.com but wanted to double check, mainly because I can't find what cognito-idp.amazonaws.com is used for.
- 最新
- 投票最多
- 评论最多
The Lambda Policy has a resource policy that allows it to be accessed by the Congito user pool in the form of:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": ",<Some SID>",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:<region>:<AWS Account>:function:<Lambda function name>",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cognito-idp:<region>:<AWS Account>:userpool/<User Pool ID>"
}
}
}
]
}
But the Lambda function still executes as lambda.amazonaws.com and must be authorized as such through the Lambda Execution Role associated to the Lambda function.
相关内容
AWS 官方已更新 2 年前- AWS 官方已更新 1 年前
Ahhhh that's much clearer now. The lambda still runs as
lambda.amazonaws.combut you have to givecognito-idp.amazonaws.compermission to invoke it. Thanks very much for explaining!