Can't authenticate to cognito from backend as administrator

Question

I need to get all users from my backend (Node.js). But when I am trying to authenticate I've got:

error AccessDeniedException, User ... assumed-role/Cognito_XXXUnauth_Role/ CognitoIdentityCredentials is not authorized to perform: cognito-idp:AdminInitiateAuth ...

My current code:

let cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider()
var params = {
  AuthFlow: 'ADMIN_NO_SRP_AUTH',
  ClientId: process.env.AWS_CLIENT_ID,
  UserPoolId: process.env.AWS_USER_POOL_ID,
    AuthParameters: { 
      USERNAME: '...'
      PASSWORD: '...'
   }
}
cognitoidentityserviceprovider.adminInitiateAuth(params, (err, result) => { ... })

It looks like I didn't log in since Cognito_XXXUnath_Role is used. Anyone had similar problem?

Answer 1

In case you are using Serverless framework, then the following settings should fix an error:

provider:

  # you can add statements to the Lambda function's IAM Role here
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "cognito-idp:AdminInitiateAuth"
      Resource:
        - "arn:aws:cognito-idp:*"

Answer 2

You are trying to use a Cognito Federated Identity credentials providers to create the CognitoIdentityServiceProvider service client. This will make the AWS SDK to call the Federated Identity service to obtain temporary AWS credentials which will be used to call cognitoidentityserviceprovider.adminInitiateAuth(...).

In this case, there are two possible solutions:

1. Use a different credentials provider to create the CognitoIdentityServiceProvider client with credentials which have access to call adminInitiateAuth API. Since you care doing this from backend, it should be safe to do so. This guide can help you with this.
2. If you must use the Cognito Federated Unauth role to create the service client, allow cognito-idp:AdminInitiateAuth in the unauthenticated role of the identity pool you are using to do this.