aws lambda - user is not authorized to perform: cognito-idp:ListUsers on resource

Question

I have encountered below error when I am trying to get all users in my user pool during testing in Lambda.

"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:iam::123456789:user/xxxxx is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abcdefg",

My code in lambda:

var AWS = require('aws-sdk');

exports.handler = () => {
var params = {
  UserPoolId: 'us-west-2_abcdefg',
}

return new Promise((resolve, reject) => {
    AWS.config.update({ region: 'us-west-2', 'accessKeyId': 'accesskey', 'secretAccessKey': 'secretkey' });
    var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
    cognitoidentityserviceprovider.listUsers(params, (err, data) => {
        if (err) {
            console.log(err);
            reject(err)
        }
        else {
            console.log("data", data);
            resolve(data)
        }
    })
});
};

I tried to add inline policy in IAM but still same error:

Update: Lambda IAM Role

Answer 1

Check your json (second tab) and add following above "lambdaexecutionpolicy"

"lambalistuserspolicy": {
      "DependsOn": [
        "LambdaExecutionRole"
      ],
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "lambda-list-users-policy",
        "Roles": [
          {
            "Ref": "LambdaExecutionRole"
          }
        ],
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "cognito-idp:ListUsers"
              ],
              "Resource": {
                "Fn::Sub": [
                  "arn:aws:cognito-idp:${region}:${account}:*",
                  {
                    "region": {
                      "Ref": "AWS::Region"
                    },
                    "account": {
                      "Ref": "AWS::AccountId"
                    },
                    "lambda": {
                      "Ref": "LambdaFunction"
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    },

Answer 2

You have assigned a permission from Cognito Identity, while the permission that you need is from Cognito User Pools.

In my opinion, the best way to update a policy via the Console is using the JSON view. That lets you create a statement that contains the exact action shown in the error message, without guessing at the service.

You should also be familiar with the Actions, Conditions, and Resource Keys page for IAM. It details the actions available for each service, and starts by telling you the service name. If you're confused about which service, you can check the ones that you think apply, until you find the correct one (in this case, "cognito-idp").