Reputation: 6471
aws lambda - user is not authorized to perform: cognito-idp:ListUsers on resource
I have encountered below error when I am trying to get all users in my user pool during testing in Lambda.
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:iam::123456789:user/xxxxx is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abcdefg",
My code in lambda:
var AWS = require('aws-sdk');
exports.handler = () => {
var params = {
UserPoolId: 'us-west-2_abcdefg',
}
return new Promise((resolve, reject) => {
AWS.config.update({ region: 'us-west-2', 'accessKeyId': 'accesskey', 'secretAccessKey': 'secretkey' });
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
cognitoidentityserviceprovider.listUsers(params, (err, data) => {
if (err) {
console.log(err);
reject(err)
}
else {
console.log("data", data);
resolve(data)
}
})
});
};
I tried to add inline policy in IAM but still same error:
Update: Lambda IAM Role
Upvotes: 2
Views: 2573
Answers (2)
Reputation: 4516
You have assigned a permission from Cognito Identity, while the permission that you need is from Cognito User Pools.
In my opinion, the best way to update a policy via the Console is using the JSON view. That lets you create a statement that contains the exact action shown in the error message, without guessing at the service.
You should also be familiar with the Actions, Conditions, and Resource Keys page for IAM. It details the actions available for each service, and starts by telling you the service name. If you're confused about which service, you can check the ones that you think apply, until you find the correct one (in this case, "cognito-idp").
Upvotes: 1
Reputation: 61
Check your json (second tab) and add following above "lambdaexecutionpolicy"
"lambalistuserspolicy": {
"DependsOn": [
"LambdaExecutionRole"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-list-users-policy",
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-idp:ListUsers"
],
"Resource": {
"Fn::Sub": [
"arn:aws:cognito-idp:${region}:${account}:*",
{
"region": {
"Ref": "AWS::Region"
},
"account": {
"Ref": "AWS::AccountId"
},
"lambda": {
"Ref": "LambdaFunction"
}
}
]
}
}
]
}
}
},
Upvotes: 1
Related Questions
- Acessing user identity in AWS Lambda
- Lambda is not authorized to perform: cognito-idp:AdminInitiateAuth
- lambda - user is not authorized to perform: cognito-idp:ListUsers
- Cognito authorizing a user through AWS lambda function
- AWS cognito users list : lambda
- AWS Cognito IAM : InvalidSmsRoleTrustRelationshipException: Role does not have a trust relationship allowing Cognito to assume the role
- AWS Cognito User Cannot Invoke Lambda (403 Not Authorized)
- AWS Lambda error on Cognito User Pool trigger
- AWS Lambda Authorizer
- AWS Lambda can't call Cognito Identity - IAM Role