Reputation: 411
Authenticate as admin to Cognito using Lambda IAM Role
I am trying to use the SDK to perform admin actions on my Cognito user pool from my Lambda function, but I cannot work out how to authenticate as admin correctly. Ideally, I'd like to just the execution role that my function is already using but I have not managed to make that work yet and am not sure if it is even possible. If it is possible, what do I need to do to make it work? If it is not possible what is the correct way of achieving this? Do I have to create an admin user in the user pool and then authenticate using a username and password?
Edit: I have implemented Matt's advice with the below code but I am just getting an empty object back from Cognito (literally just {} is appearing in the logs) and I am not sure why. From reading the documentation I should be getting either data or err. The update is taking place so I know that it's working, I was just expecting to get a confirmation back, does anyone know if I should be getting something back?
let cogUser;
const params = {
UserAttributes: [{
Name: "email",
Value: args.input.email
}],
UserPoolId: context.userpool_id,
Username: context.user
};
log.debug('Cog user params: ', params);
try {
cogUser = await context.conns.cognito.adminUpdateUserAttributes(params).promise();
} catch(err) {
log.error('Coguser threw error: ', err);
}
log.debug('Coguser return: ', cogUser);
Edit 2: Attempted using callback instead of promises.
context.conns.cognito.adminUpdateUserAttributes(params, function(err, data) {
if (err) {
console.log(err)
} else {
cogUser = data;
}
});
Upvotes: 1
Views: 1855
Answers (1)
Reputation: 5319
If you want to use the IAM role already tied to the Lambda function, you can just edit the role in the AWS Console and add the proper policies on the role (depending on what you're trying to accomplish).
For example, you could just add the pre-configured "AmazonCognitoPowerUser" policy to the role (see below):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
Or better, add the specific policy rules needed on the specific resources that your lambda function needs as a new policy instead.
Once you do this, you can call the Cognito Admin APIs directly (see example below):
exports.handler = (event, context, callback) => {
var AWS = require('aws-sdk');
var CognitoIdentityServiceProvider = new AWS.CognitoIdentityServiceProvider({apiVersion: '2016-04-18'});
var params = {
UserAttributes: [{
Name: `custom:${event.attribute}`,
Value: event.value
}],
UserPoolId: 'us-east-1_example',
Username: event.username
}
CognitoIdentityServiceProvider.adminUpdateUserAttributes(params, function(err, data) {
if (err) { console.log(err) }
context.done(null, data);
});
};
Upvotes: 1
Related Questions
- Lambda is not authorized to perform: cognito-idp:AdminInitiateAuth
- Login with adminInitiateAuth using email and password in AWS Cognito
- Cognito - adminRespondToAuthChallenge returns Invalid session for the user
- Setting up Lambda IAM Policy to access Cognito
- Cognito authorizing a user through AWS lambda function
- Manual Authentication with Amazon Cognito
- AWS Lambda Authorizer
- AWS Cognito adminCreateUser from Lambda
- How to do Cognito authentication in lambda function?
- AWS Lambda can't call Cognito Identity - IAM Role