AWS Cognito用户无法调用Lambda（403未授权）

Question

I've created a set of AWS Lambdas using the Serverless framework, and a React app which calls these. 我使用无服务器框架创建了一组AWS Lambdas，并使用React应用程序调用这些框架。 A user pool and an identity pool have been setup in AWS Cognito, and a table in DynamoDB. 已在AWS Cognito中设置用户池和标识池，并在DynamoDB中设置了一个表。 (I've followed the tutorial on serverless-stack.com). （我已经按照serverless-stack.com上的教程进行了操作）。 It's a simple notes app. 这是一个简单的笔记应用程序。

The client app is deployed to: https://dev.cakebook.co 客户端应用程序部署到： https ： //dev.cakebook.co

The API is deployed: https://api.cakebook.co/dev/orders 部署了API： https ： //api.cakebook.co/dev/orders

However, after I log in using this Cognito user: 但是，在我使用此Cognito用户登录后：

admin@example.com Passw0rd! admin@example.com Passw0rd！

I get a 403 response for the GET of the orders: 我得到订单GET的403响应：

message: “User: arn:aws:sts::********8766:assumed-role/cakebook-api-dev-CognitoAuthRole-1DTRT5XGEGRXW/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-2:********8766:sss6l7svxc/dev/GET/orders”

I'm new to all this, but it looks like my Cognito user does not have permission to call the Lambda (or API gateway?). 我对这一切都不熟悉，但看起来我的Cognito用户没有权限调用Lambda（或API网关？）。 Is that the issue? 这是问题吗？ If so, how do I give the users permission to call the Lambdas? 如果是这样，我如何授予用户调用Lambdas的权限？

UPDATE, requested JSON 更新，请求JSON

Execution Role: 执行角色：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-create:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-get:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-list:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-update:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-delete:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-create:*:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-get:*:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-list:*:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-update:*:*",
                "arn:aws:logs:us-east-2:********8766:log-group:/aws/lambda/cakebook-api-dev-delete:*:*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-2:********8766:table/orders"
            ],
            "Effect": "Allow"
        },
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:us-east-2:********8766:function:cakebook-api-dev-list",
            "Condition": {
                "ArnLike": {
                    "AWS:SourceArn": "arn:aws:cognito-identity:us-east-2:********8766:identitypool/us-east-2:d9e4e505-c64a-4836-8e56-3af843dbe453"
                }
            }
        }
    ]
}

Function Policy: 功能政策：

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "cakebook-api-dev-ListLambdaPermissionApiGateway-U7OCBI3JM44G",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-2:********8766:function:cakebook-api-dev-list",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:us-east-2:********8766:w5o4vxx4f0/*/*"
        }
      }
    },
    {
      "Sid": "lambda-da48f6d0-6d3c-4bbf-a761-ca3510f79624",
      "Effect": "Allow",
      "Principal": {
        "Service": "cognito-sync.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-2:********8766:function:cakebook-api-dev-list",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cognito-identity:us-east-2:********8766:identitypool/us-east-2:d9e4e505-c64a-4836-8e56-3af843dbe453"
        }
      }
    }
  ]
}

Answer 1

You need to update Lambda permission to allow invoking by Cognito user pool. 您需要更新Lambda权限以允许Cognito用户池调用。

Option A - update permission in JSON format 选项A - JSON格式的更新权限

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "lambda-something",
      "Effect": "Allow",
      "Principal": {
        "Service": "cognito-sync.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-west-1:__accountId__:__function_name__",
      "Condition": {
        "ArnLike": {
           "AWS:SourceArn": "arn:aws:cognito-identity:eu-west-1:__accountId__:identitypool/eu-west-1:....."
        }
      }
    }
  ]
}

Option B - in console 选项B - 在控制台中

Go to Lambda Configuration page 转到Lambda配置页面
Add trigger Cognito Sync Trigger 添加触发器Cognito Sync Trigger
During saving it will offer to configure Lambda permission automatically - agree 在保存期间，它将提供自动配置Lambda权限 - 同意

AWS Cognito用户无法调用Lambda（403未授权）

问题描述

1 个解决方案

解决方案1
0 2019-04-02 20:56:34

AWS Cognito用户无法调用Lambda（403未授权）

问题描述

1 个解决方案

解决方案1 0 2019-04-02 20:56:34

解决方案1
0 2019-04-02 20:56:34