I am calling adminInitiateAuth and getting back a strange AccessDeniedException for my own lambdas.
Here is the code I'm calling:
var params = {
AuthFlow: "ADMIN_NO_SRP_AUTH",
ClientId: "@cognito_client_id@",
UserPoolId: "@cognito_pool_id@",
AuthParameters: {
USERNAME : username,
PASSWORD : tempPassword
},
};
cognitoIdentityServiceProvider.adminInitiateAuth(params, function(error, data) {
if (error) {
console.log("ERROR! Login failed: " + JSON.stringify(error), error.stack);
} else {
console.log("Login sent back: " + JSON.stringify(data));
}
});
The error message I'm getting is:
ERROR! Login failed: {"message":"arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.","code":"UnexpectedLambdaException","time":"2017-02-25T18:54:15.109Z","requestId":"ce42833f-fb8b-11e6-929b-2f78b63faa12","statusCode":400,"retryable":false,"retryDelay":1.0853444458916783} UnexpectedLambdaException: arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.
Does anybody know why I might be getting this error?
This was happening because I recreated my API Gateway & Lambdas (using serverless) and it turns out that the Cognito console sneakily adds permissions to contact a given Lambda function when added as a trigger through the console.
To fix this in your CloudFormation / serverless.yml file:
resources:
Resources:
OnCognitoSignupPermission:
Type: 'AWS::Lambda::Permission'
Properties:
Action: "lambda:InvokeFunction"
FunctionName:
Fn::GetAtt: [ "UsersUnderscoreonCognitoSignupLambdaFunction", "Arn"]
Principal: "cognito-idp.amazonaws.com"
SourceArn:
Fn::Join: [ "", [ "arn:aws:cognito-idp", ":", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":", "userpool/", "@cognito_pool_id@" ] ]
To fix this in the AWS console:
Here's an interesting Amazon forum post that led me down the right track.