Reputation: 1858
AWS Lambda can't call Cognito Identity - IAM Role
I've got a bit of javascript which runs on my local machine but doesn't work from within the Lambda.
It timeouts when calling cognitoidentity.getOpenIdTokenForDeveloperIdentity
{
"errorMessage": "2016-03-17T16:50:25.181Z 4fa3fa5a-ec60-11e5-8316-415fa39313da Task timed out after 15.00 seconds"
}
On local it works fine (calling into AWS production services) so it must be the policy I have attached to the Lambda.
Here are the policies I have:
AmazonCognitoDeveloperAuthenticatedIdentities
AWSLambdaVPCAccessExecutionRole
And this is the custom one I also have:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:eu-west-1:myaccountid:function:users_login"
]
}
]
}
The Lambda ARN was copied directly from that Lambda screen. Any ideas of what's missing?
Upvotes: 11
Views: 6889
Answers (1)
Reputation: 200446
it must be the policy I have attached
No, if that were the case you would be getting a permission denied error, not a timeout.
It looks like your Lambda function has VPC access. You need to configure a NAT gateway for your VPC in order for the Lambda function to have access to anything outside the VPC, including AWS services like Cognito.
Upvotes: 21
Related Questions
- Can an AWS Lambda function call another
- How to allow IAM user to access lambda function in another account?
- Cross Account AWS Cognito Lambda Trigger
- Setting up Lambda IAM Policy to access Cognito
- Amazon Kendra: AccessDeniedException with Cognito role
- Policy to allow lambda:InvokeFunction to an IAM Assumed Role
- IdentityPoolRoleAttachment Resource cannot be updated
- AWS/Cognito/IAM Error with Unauth role