Search code examples
amazon-web-servicesaws-lambdaamazon-cognitoaws-sdk-goamazon-cognito-triggers

Cognito User Pool - Post confirmation trigger, access denied exception

I am crating a Cognito user pool using GO SDK, I am using the API CreateUserPoolInput.

I have a post confirmation trigger, for this lambda function.

So when the user confirmation happens, this lambda function is expected to trigger.

But I am getting an error - Access denied.

When I login to AWS console and re-configure this lambda function for this trigger, it works.

Reference - https://forums.aws.amazon.com/thread.jspa?messageID=748566

I want to provide the invoke permission using the AWS APIs.

Is there any API or code example, which I can refer to provide the required access?

Solution

  • I am not familiar with GO, but from an AWS API perspective, what happens when you use the AWS console to add a trigger to a lambda function, you effectively add permission for another service to invoke your function. The AWS graphical console calls the underlying API under the scene to make it easy to use.

    If you are creating or configuring a Lambda function using the AWS CLI or an SDK, you need to make an explicit call to the add-permission API.

    Here is the doc for the AWS CLI. It is a nice way to practice and discover before to start to write your code : https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html

    Here is the doc for the Go SDK equivalent : https://docs.aws.amazon.com/sdk-for-go/api/service/lambda/#Lambda.AddPermission

    And here are two examples in bash shell (one to authorize API Gateway and one to authorize Amazon S3 to trigger a function, but I am sure you can adapt this easily to your use case)

     aws lambda add-permission \
               --region $REGION \
               --function-name $FUNCTION_NAME \
               --statement-id 1 \
               --principal apigateway.amazonaws.com \
               --action lambda:InvokeFunction \
               --source-arn arn:aws:execute-api:$REGION:$ACCOUNT_ID:* >/dev/null

    #
# Add permission to authorize S3 bucket to invoke Lambda
#
AWS_ACCOUNT_ID=$(echo $ROLE_EXEC_ARN | sed 's/^arn:aws:iam::\(.*\):.*$/\1/')
aws lambda add-permission --function-name $FUNCTIONNAME --region $REGION --profile $PROFILE --statement-id Id-x  --action "lambda:InvokeFunction" --principal s3.amazonaws.com --source-arn arn:aws:s3:::$BUCKETNAME --source-account $AWS_ACCOUNT_ID