stackoom
  简体   繁体   中英

Setting up Lambda IAM Policy to access Cognito

 原文  2020-08-26 21:48:04       amazon-web-services/ aws-lambda/ amazon-cognito

Question

I've created a lambda to check for custom logic before signing up a new Cognito user. In creating the IAM Policy for this lambda, what is the correct "Action" and "Resource" I should use here?

I'm following this guide: https://medium.com/@earlg3/using-lambda-aws-cognito-triggers-to-only-allow-auto-verification-to-specific-domain-db2efea79c44

Lambda

exports.handler = function(event, context) {
    
    // Configure the email domain that will be allowed to automatically verify.
    var approvedDomain = "approveddomain.com";
    
    // Log the event information for debugging purposes.
    console.log('Received event:', JSON.stringify(event, null, 2));if (event.request.userAttributes.email.includes('@' + approvedDomain)) {
        console.log ("This is an approved email address. Proceeding to send verification email.");
        event.response.emailSubject = "Signup Verification Code";
        event.response.emailMessage = "Thank you for signing up. " + event.request.codeParameter + " is your verification code.";
        context.done(null, event);
    } else {
        console.log ("This is not an approved email address. Throwing error.");
        var error = new Error('EMAIL_DOMAIN_ERR');
        context.done(error, event);
   }};

My best guess so far:

{
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaSignUp",
            "Effect": "Allow",
            "Action": [
                "cognito-sync:*",
                "cognito-idp:*",
            ],
            "Resource": "arn:aws:cognito-idp:REGION:ACCOUNT_ID:userpool/USER_POOL_ID"
        }
    ]
}

1 answers

solution1
 2  2020-08-26 22:27:32

Figured it out - turns out there are no special IAM policies needed, since you'd point to this lambda from Cognito's AWS Console.

  1. Leave the default IAM Policy (the basic one will include log permissions)
  2. Go to User Pools > your pool name > Triggers. Under "Custom Message", select your lambda.

That's it!

Note on the lambda above: If you want to test it, make sure you include the request and UserAttributes keys in the test event:

{
  "request": {
    "userAttributes": {
      "email": "hello@test.com"
    }
  },
  "response": {}
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Setting up Lambda to Create AWS CloudFormation without IAM Policy IAM Policy for S3 folder access based on Cognito ID AWS IAM policy issue for DynamoDB table access by authenticated Cognito users Give access Lambda to Opensearch [IAM & Configure domain level access policy] Lambda function to write into S3 - IAM policy to access S3 IAM Policy Cognito Variables for DynamoDB LeadingKeys Restriction cognito user pool custom attribute in IAM Policy Conditions with Dynamodb Fine grained access Tutorial to sett-up AWS Cognito, IAM, AWS Gateway, Lambda function with authenticated caller Authenticate as admin to Cognito using Lambda IAM Role AWS Lambda Cognito access
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM