Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When I try to login using AWS Cognito I get an AccessDeniedException about my custom Lambda trigger

Tags:

amazon-cognito

aws-cognito

I am calling adminInitiateAuth and getting back a strange AccessDeniedException for my own lambdas.

Here is the code I'm calling:

      var params = {
        AuthFlow: "ADMIN_NO_SRP_AUTH",
        ClientId: "@cognito_client_id@",
        UserPoolId: "@cognito_pool_id@",
        AuthParameters: {
          USERNAME : username,
          PASSWORD : tempPassword
        },
      };
      cognitoIdentityServiceProvider.adminInitiateAuth(params, function(error, data) {
        if (error) {
          console.log("ERROR! Login failed: " + JSON.stringify(error), error.stack);
        } else {
          console.log("Login sent back: " + JSON.stringify(data));
        }
      });

The error message I'm getting is:

ERROR! Login failed: {"message":"arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.","code":"UnexpectedLambdaException","time":"2017-02-25T18:54:15.109Z","requestId":"ce42833f-fb8b-11e6-929b-2f78b63faa12","statusCode":400,"retryable":false,"retryDelay":1.0853444458916783} UnexpectedLambdaException: arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.

Does anybody know why I might be getting this error?

like image 575
Ryan Shillington Avatar asked Feb 25 '17 19:02

Ryan Shillington

People also ask

How do you connect Lambda to Cognito?

To add a user pool Lambda trigger with the consoleGo to the Amazon Cognito console , and then choose User Pools. Choose an existing user pool from the list, or create a user pool. Choose the User pool properties tab and locate Lambda triggers. Choose Add a Lambda trigger.

How do I allow API users to run AWS Lambda with their Amazon Cognito permissions?

To allow users to run Lambda with their Amazon Cognito permissions, follow these steps: Use the API Gateway console to establish your Amazon Cognito user pool as an authorizer. Then, assign the Amazon Cognito user pool as the authorizer for the method of your API.

How do you authenticate on Amazon Cognito?

Go to AWS Cognito service and click “Manage Identity Pools”. 2. Enter “Identity pool name”, expand the “Authentication providers” section and select “Cognito” tab. This is where the Cognito authentication provider will be registered with the Identity pool.

2 Answers

I had a problem similar to yours except I was trying to configure the Lambda with my Cognito User Pool through CloudFormation.

In the link that Ryan had posted there was a code sample someone posted. Namely Cognito needed the proper permissions to invoke the lambda function. 

MyLambdaInvocationPermission:
  Type: AWS::Lambda::Permission
  Properties:
    Action: lambda:InvokeFunction
    FunctionName: !GetAtt MyLambdaFunctionName.Arn
    Principal: cognito-idp.amazonaws.com
    SourceArn: !GetAtt MyCognitoUserPoolName.Arn
like image 35
shanewwarren Avatar answered Oct 16 '22 12:10

shanewwarren

This was happening because I recreated my API Gateway & Lambdas (using serverless) and it turns out that the Cognito console sneakily adds permissions to contact a given Lambda function when added as a trigger through the console.

To fix this in your CloudFormation / serverless.yml file:

resources:
  Resources:
    OnCognitoSignupPermission:
      Type: 'AWS::Lambda::Permission'
      Properties:
        Action: "lambda:InvokeFunction"
        FunctionName:
          Fn::GetAtt: [ "UsersUnderscoreonCognitoSignupLambdaFunction", "Arn"]
        Principal: "cognito-idp.amazonaws.com"
        SourceArn:
          Fn::Join: [ "", [ "arn:aws:cognito-idp", ":", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":", "userpool/", "@cognito_pool_id@" ] ]

To fix this in the AWS console:

  • Go to the Cognito Console
  • Choose your user pool
  • Go to "Triggers"
  • Remove your custom trigger (set it to None) and click "Save"
  • Now reset it back and click "Save" again

Here's an interesting Amazon forum post that led me down the right track.

like image 77
Ryan Shillington Avatar answered Oct 16 '22 11:10

Ryan Shillington
Sign in to Comment

Related questions

How do I integrate amazon cognito login in postman?
Is it possible to modify AWS Cognito user attributes in the Lambda triggers
How to Create a Client in Keycloak to use with AWS Cognito Identity Federation
What does the `aws.cognito.signin.user.admin` scope mean in Amazon Cognito?
AWS Cognito delete-custom-attributes?
How to allow my user to reset their password on Cognito User Pools?
Amazon Cognito: How to stop getting "redirect_mismatch" error when redirecting from browser to Android app
How to use the code returned from Cognito to get AWS credentials?
How AWS Cognito User Pool defends against bruteforce attacks
AWS Cognito username/email login is case-sensitive
How to use AWS IoT to send/receive messages to/from Web Browser
AWS Cognito User Pool without a password
Can you export/migrate users out of AWS cognito, does it cause vendor lock-in?
AWS : Invalid identity pool configuration. Check assigned IAM roles for this pool
What is the REST (or CLI) API for logging in to Amazon Cognito user pools
How do I access the group for a Cognito User account?
Cognito auth flow fails with "Already found an entry for username Facebook_10155611263153532"
AWS cognito: What's the difference between Access and Identity tokens?
AWS Cognito: Best practice to handle same user (with same email address) signing in from different identity providers (Google, Facebook)
AWS Cognito - User stuck in CONFIRMED and email_verified = false

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!