When I try to login using AWS Cognito I get an AccessDeniedException about my custom Lambda trigger

amazon-cognito aws-cognito
Ryan Shillington picture Ryan Shillington · Feb 25, 2017 · Viewed 10k times · Source

I am calling adminInitiateAuth and getting back a strange AccessDeniedException for my own lambdas.

Here is the code I'm calling:

      var params = {
        AuthFlow: "ADMIN_NO_SRP_AUTH",
        ClientId: "@cognito_client_id@",
        UserPoolId: "@cognito_pool_id@",
        AuthParameters: {
          USERNAME : username,
          PASSWORD : tempPassword
        },
      };
      cognitoIdentityServiceProvider.adminInitiateAuth(params, function(error, data) {
        if (error) {
          console.log("ERROR! Login failed: " + JSON.stringify(error), error.stack);
        } else {
          console.log("Login sent back: " + JSON.stringify(data));
        }
      });

The error message I'm getting is:

ERROR! Login failed: {"message":"arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.","code":"UnexpectedLambdaException","time":"2017-02-25T18:54:15.109Z","requestId":"ce42833f-fb8b-11e6-929b-2f78b63faa12","statusCode":400,"retryable":false,"retryDelay":1.0853444458916783} UnexpectedLambdaException: arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.

Does anybody know why I might be getting this error?

Answer

Ryan Shillington picture Ryan Shillington · Feb 25, 2017

This was happening because I recreated my API Gateway & Lambdas (using serverless) and it turns out that the Cognito console sneakily adds permissions to contact a given Lambda function when added as a trigger through the console.

To fix this in your CloudFormation / serverless.yml file:

resources:
  Resources:
    OnCognitoSignupPermission:
      Type: 'AWS::Lambda::Permission'
      Properties:
        Action: "lambda:InvokeFunction"
        FunctionName:
          Fn::GetAtt: [ "UsersUnderscoreonCognitoSignupLambdaFunction", "Arn"]
        Principal: "cognito-idp.amazonaws.com"
        SourceArn:
          Fn::Join: [ "", [ "arn:aws:cognito-idp", ":", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":", "userpool/", "@cognito_pool_id@" ] ]

To fix this in the AWS console:

  • Go to the Cognito Console
  • Choose your user pool
  • Go to "Triggers"
  • Remove your custom trigger (set it to None) and click "Save"
  • Now reset it back and click "Save" again

Here's an interesting Amazon forum post that led me down the right track.

Related questions

How to modify expiry time of the access and identity tokens for AWS Cognito User Pools

I can't find any documentation which explains if and how to modify the expiry time of access and identity tokens for AWS Cognito User Pools. The documentation specifies that by default expires 1h after the emission. Is there a way …

Read More
How to generate access token for an AWS Cognito user?

I' using Cognito user pool for securing my API gateway . Now I would like to make requests to my API using postman but I need to pass in Authorization token as the API is secured. Is there any AWS CLI …

Read More
Cognito hosted UI

I have been looking into setting up a login for a web app that lets clients view data hosted in S3 and found that AWS Cognito has a hosted web UI [link] that handles most of the authentication flow for …

Read More