Menu
I am working with the Serverless Framework in my approach to Authentication. My goal is to create an API endpoint that triggers (via AWS API Gateway) a Lambda Function that creates a new AWS Cognito user. The endpoint will have a custom authorizer to protect it.
My Lambda function is below. When it's run, I receive the error "NotAuthorizedException: SignUp is not permitted for this user pool". Any thought on how to authorize my Lambda function to create a new user?
'use strict';
var AmazonCognitoIdentity = require('amazon-cognito-identity-js');
var CognitoUserPool = AmazonCognitoIdentity.CognitoUserPool;
var CognitoUserAttribute = AmazonCognitoIdentity.CognitoUserAttribute;
module.exports.init = (event, context, callback) => {
console.log('Lambda initiated with event:',event);
// Define AWS Cognito User Pool
var poolData = {
"UserPoolId": process.env['COGNITO_USER_POOL_ID'],
"ClientId": process.env['COGNITO_APP_CLIENT_ID']
};
var userPool = new CognitoUserPool(poolData);
console.log('userPool:',userPool);
// Define User Attributes
var attributeList = [];
var dataEmail = {
"Name": "email",
"Value": "[email protected]"
};
var attributeEmail = new CognitoUserAttribute(dataEmail);
attributeList.push(attributeEmail);
console.log('attributeList:',attributeList);
// Create User via AWS Cognito
userPool.signUp('username', 'password', attributeList, null, function(err, result) {
if(err) {
console.log('err:',err);
callback(err,null);
} else {
console.log('result:',result);
cognitoUser = result.user;
console.log('user name is ' + cognitoUser.getUsername());
callback(null,result);
}
});
};
319
Access your IAM Management console and select Roles from the left menu. Click Create role and select the AWS Service Lambda role. Once both are highlighted, click Next: Permissions. Name your role whatever you want, as long as it's recognizable to you, and click Create role.
A Lambda integration maps a path and HTTP method combination to a Lambda function. You can configure API Gateway to pass the body of the HTTP request as-is (custom integration), or to encapsulate the request body in a document that includes all of the request information including headers, resource, path, and method.
If you set up the API without using the API Gateway console, such as when importing an API from an OpenAPI file , you must explicitly create, if necessary, and set up an invocation role and policy for API Gateway to invoke the Lambda functions.
To create an IAM role for LambdaSign in to the AWS Management Console. From the Services menu, open the IAM console . In the Navigation pane, choose Roles, and then choose Create role. For Select type of trusted entity, choose AWS service, and then choose Lambda for the service that will use this role.
"NotAuthorizedException: SignUp is not permitted for this user pool" exception is thrown when the user pool only allows administrators to create the users via the AdminCreateUser API. With this setting enabled, SignUp API cannot be called and will throw this error.
If you are calling this from a lambda trigger you can use AdminCreateUser API or disable this setting so your user pool allows SignUp API calls.
94
As Chean Mehta pointed out, you can disable the AdminCreateUser setting for SignUp API to work, for that you have to set AllowAdminCreateUserOnly to false in your serverless cognito configuration or you can disable this by following these steps:
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
