Permissions for a AWS Lambda function to list users

Question

I have an AWS Lambda function that needs to be able to run this code:

var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();

cognitoidentityserviceprovider.listUsers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
  .... other useful code ....
});

In other words it should be able to listUsers.

When setting the role in IAM for that, what kind of policy do I need?

Answer 1

If you want to list the users in your Cognito User Pool, you need to allow cognito-idp:ListUsers. You can restrict this action to a specific user pool like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cognito-idp:ListUsers",
            "Resource": "arn:aws:cognito-idp:<region>:<account>:userpool/<userpoolid>"
        }
    ]
}

Have a look at Actions, Resources, and Condition Keys for Amazon Cognito User Pools.