AWS Cognito Change user status to disable

Question

I want to change user status using code.

I tried lots of codes but nothing worked for me. Can any one provide full working example of this. Some time i am getting this error CognitoIdentityCredentials is not authorized to perform: cognito-idp:AdminDisableUser on resource

var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();


AWS.config.update({
    region: 'us-west-2',
    credentials: new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'us-west-2:6afd2a7c-b3cd-472f-bead-fdbde8a84a26',
    })
});


var params = {
    UserPoolId: 'us-west-2_Klsadmic5', /* required */
    Username: 'alphagate6' /* required */
};
cognitoidentityserviceprovider.adminDisableUser(params, function(err, data) {
    if (err) console.log(err, err.stack); // an error occurred
    else     console.log(data);           // successful response
});

Answer 1

The params and the invocation seems to be OK. The error means that the role of your lambda function (I assume that this code snippet is from your lambda function) does not have permission to perform adminDisableUser.

You need to find the IAM role of your lambda function and attach a policy that allows this action. For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAdminDisableUser",
            "Effect": "Allow",
            "Action": "cognito-idp:AdminDisableUser",
            "Resource": "*"
        }
    ]
}

You may also want to specify certain resources to not allow this action for every user pool.

Answer 2

I had this feature to enable/disable users in one application and here is How I have implemented the feature

1. Gave lambda necessary permissions to perform enable/disable

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cognito-idp:AdminEnableUser",
                "cognito-idp:AdminDisableUser"
            ],
            "Resource": [
                "arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id>",
                "arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id>"
            ]
        }
    ]
}

2. Initializing AWS SDK

AWS.config.update({
  region: "us-east-1",
});
const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({
  apiVersion: "2016-04-18",
});
const UserPoolId = "<pool-id>";

3. Created one method to handle enable/disable

const accountActions = (action, username) => {
  return new Promise((res, rej) => {
    const params = {
      UserPoolId /* required */,
      Username: username /* required */,
    };
    if (action == "disable") {
      cognitoidentityserviceprovider.adminDisableUser(params, function(err,data) {
        if (err) {
          rej(err);
        } else {
          res(data);
        }
      });
    } else {
      cognitoidentityserviceprovider.adminEnableUser(params,function(err,data) {
        if (err) {
          rej(err);
        } else {
          res(data);
        }
      });
    }
  });
};