[英]aws lambda - user is not authorized to perform: cognito-idp:ListUsers on resource
I have encountered below error when I am trying to get all users in my user pool during testing in Lambda.在 Lambda 中进行测试期间,当我尝试获取用户池中的所有用户时,我遇到了以下错误。
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:iam::123456789:user/xxxxx is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abcdefg",
My code in lambda:我在 lambda 中的代码:
var AWS = require('aws-sdk');
exports.handler = () => {
var params = {
UserPoolId: 'us-west-2_abcdefg',
}
return new Promise((resolve, reject) => {
AWS.config.update({ region: 'us-west-2', 'accessKeyId': 'accesskey', 'secretAccessKey': 'secretkey' });
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
cognitoidentityserviceprovider.listUsers(params, (err, data) => {
if (err) {
console.log(err);
reject(err)
}
else {
console.log("data", data);
resolve(data)
}
})
});
};
I tried to add inline policy in IAM but still same error:我尝试在 IAM 中添加内联策略,但仍然出现相同的错误:
Check your json (second tab) and add following above "lambdaexecutionpolicy"检查您的 json(第二个选项卡)并在“lambdaexecutionpolicy”上方添加以下内容
"lambalistuserspolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-list-users-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-idp:ListUsers"
],
"Resource": {
"Fn::Sub": [
"arn:aws:cognito-idp:${region}:${account}:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
}
]
}
}
},
You have assigned a permission from Cognito Identity, while the permission that you need is from Cognito User Pools.您已从 Cognito Identity 分配了权限,而您需要的权限来自 Cognito 用户池。
In my opinion, the best way to update a policy via the Console is using the JSON view.在我看来,通过控制台更新策略的最佳方式是使用 JSON 视图。 That lets you create a statement that contains the exact action shown in the error message, without guessing at the service.这使您可以创建包含错误消息中显示的确切操作的语句,而无需猜测服务。
You should also be familiar with the Actions, Conditions, and Resource Keys page for IAM.您还应该熟悉 IAM 的操作、条件和资源密钥页面。 It details the actions available for each service, and starts by telling you the service name.它详细说明了每个服务可用的操作,并首先告诉您服务名称。 If you're confused about which service, you can check the ones that you think apply, until you find the correct one (in this case, "cognito-idp").如果您对哪种服务感到困惑,可以检查您认为适用的服务,直到找到正确的服务(在本例中为“cognito-idp”)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.