AWS Cognito: how to allow users to change email without verification?

Question

I'm new to AWS and I'm looking for a way to allow the users of my Android app to change their emails without going through the verification process (I managed to do it for the subscription).

I tried to follow this and this, and here is what I did.

In my Android app:

public void onClickChangeEmail(View view)
{
    CognitoUserAttributes attributes = new CognitoUserAttributes();
    attributes.getAttributes().put("email", "[email protected]");
    CognitoSettings
            .getCognitoUserPool(MainActivity.this)
            .getCurrentUser()
            .updateAttributesInBackground(attributes, new UpdateAttributesHandler()
    {
        @Override
        public void onSuccess(List<CognitoUserCodeDeliveryDetails> attributesVerificationList)
        {
            Log.i("tag", "Email updated!");
        }

        @Override
        public void onFailure(Exception e)
        {
            e.printStackTrace();
        }
    });
}

Then, in my AWS console, I added a trigger in Cognito on Custom message, and here is my lambda function, which is triggered everytime a user updates his email:

const AWS = require('aws-sdk')
AWS.config.update({region: 'eu-central-1'});

exports.handler = (event, context, callback) => {
    if (event.triggerSource === 'CustomMessage_UpdateUserAttribute')
    {
        const params = {
            UserAttributes: [
              {
                  Name: 'email_verified',
                  Value: 'true',
              },
            ],
            UserPoolId: event.userPoolId,
            Username: event.userName,
        };
        var cognitoIdServiceProvider = new AWS.CognitoIdentityServiceProvider();
        cognitoIdServiceProvider.adminUpdateUserAttributes(params, function(err, data) {
            if (err) context.done(err, event); // an error occurred
            else context.done(null, event); // successful response
        });
    }
    else
    {
        context.done(null, event);
    }
};

The result is: the email is properly updated (but it works whithout the lambda), but the lambda crashes, with the following error:

autoValidationUserEmailModification is not authorized to perform: cognito-idp:AdminUpdateUserAttributes

So it looks like an authorization is missing.

My questions are:

• How can I fix the authorization part?
• Is that method the right way to disable email verification on updating user email?

Thanks for your help.

Answer 1

Allow your function perform AdminUpdateUserAttributes on you Cognito Pool resource.

Update Lambda execution rules with block like:

{
    "Action": [
        "cognito-idp:AdminUpdateUserAttributes"
    ],
    "Resource": "arn:aws:cognito-idp:eu-central-1:<your-user-id>:userpool/<your-user-pool>",
    "Effect": "Allow"
}

where Resource is your Cognito User Pool ARN.