lambda - 用户无权执行:cognito-idp:ListUsers
[英]lambda - user is not authorized to perform: cognito-idp:ListUsers
问题描述
I have encountered below error when I am trying to get all users in my user pool during testing in Lambda.
在 Lambda 中进行测试期间,当我尝试获取用户池中的所有用户时,我遇到了以下错误。
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:iam::123456789:user/xxxxx is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abcdefg",
My code in lambda:我在 lambda 中的代码:
var AWS = require('aws-sdk');
exports.handler = () => {
var params = {
UserPoolId: 'us-west-2_abcdefg',
}
return new Promise((resolve, reject) => {
AWS.config.update({ region: 'us-west-2', 'accessKeyId': 'accesskey', 'secretAccessKey': 'secretkey' });
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
cognitoidentityserviceprovider.listUsers(params, (err, data) => {
if (err) {
console.log(err);
reject(err)
}
else {
console.log("data", data);
resolve(data)
}
})
});
};
I tried to add inline policy in IAM but still same error:我尝试在 IAM 中添加内联策略,但仍然出现相同的错误:
Lambda IAM Role Lambda IAM 角色
I knew I should update json for the policy, but Can someone provide detailed step to update the json policy?我知道我应该为策略更新 json,但是有人可以提供更新 json 策略的详细步骤吗?
3 个解决方案
解决方案1
2 已采纳 2020-10-26 08:12:34
I have encountered below error when I am trying to get all users in my user pool during testing in Lambda.当我尝试在Lambda中进行测试时让所有用户都进入我的用户池时,遇到以下错误。
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:iam::123456789:user/xxxxx is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abcdefg",
My code in lambda:我在lambda中的代码:
var AWS = require('aws-sdk');
exports.handler = () => {
var params = {
UserPoolId: 'us-west-2_abcdefg',
}
return new Promise((resolve, reject) => {
AWS.config.update({ region: 'us-west-2', 'accessKeyId': 'accesskey', 'secretAccessKey': 'secretkey' });
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
cognitoidentityserviceprovider.listUsers(params, (err, data) => {
if (err) {
console.log(err);
reject(err)
}
else {
console.log("data", data);
resolve(data)
}
})
});
};
I tried to add inline policy in IAM but still same error:我试图在IAM中添加内联策略,但仍然存在相同的错误:
Lambda IAM Role Lambda IAM角色
I knew I should update json for the policy, but Can someone provide detailed step to update the json policy?我知道我应该为该策略更新json,但是有人可以提供详细的步骤来更新json策略吗?
解决方案2
1 2021-05-24 19:45:32
It's just a permission issue.这只是一个许可问题。 Follow the following steps :请按照以下步骤操作:
I. CREATING THE POLICY (FOR PERMISSION) I. 制定政策(获得许可)
- Go to IAM console -> Policies -> Create Policy.转至 IAM 控制台 -> 策略 -> 创建策略。
- Choose "Cognito User Pools" Services.选择“Cognito 用户池”服务。
- Specify the desired actions for which you need permission for (List, Read, etc.)指定您需要权限的所需操作(列表、读取等)
- Specify Resources.指定资源。
- Choose request conditions (optional).选择请求条件(可选)。
- Add Tags (Optional).添加标签(可选)。
- Give name and description of the policy.给出政策的名称和描述。
- Click on "Create Policy" button.单击“创建策略”按钮。
POLICY CREATED.政策已创建。
II.二、 ADDING THE POLICY TO THE USER :向用户添加政策:
- Go to IAM console -> Users.转到 IAM 控制台 -> 用户。
- Select the desired user.选择所需的用户。
- In permissions tab, click on Add Permissions.在权限选项卡中,单击添加权限。
- Click on "Attach existing policy directly".单击“直接附加现有策略”。
- Search for the policy you just created.搜索您刚刚创建的策略。
- Click on "Add Permissions"点击“添加权限”
ISSUE IS RESOLVED.问题已解决。
解决方案3
0 2021-05-07 11:09:30
Solution worked for me :解决方案对我有用:
Step : 1 I have created a new policy with below json from IAM console步骤:1我从 IAM 控制台使用以下 json 创建了一个新策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-identity:MergeDeveloperIdentities",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:ListIdentityPools",
"cognito-identity:CreateIdentityPool",
"cognito-identity:ListIdentities",
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"cognito-identity:GetOpenIdToken",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-identity:GetId",
"cognito-identity:LookupDeveloperIdentity",
"cognito-identity:UnlinkDeveloperIdentity",
"cognito-identity:ListTagsForResource",
"cognito-identity:UpdateIdentityPool",
"cognito-identity:UnlinkIdentity",
"cognito-identity:DescribeIdentity",
"cognito-identity:GetCredentialsForIdentity"
],
"Resource": "*"
}
]
} }
Step: 2 Added the policy to ecsInstanceRole步骤:2将策略添加到 ecsInstanceRole
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.