i used amplifies cli to create a PostConfirmation lambda trigger using amplify update auth and ran through the setup guide setting Do you want to enable any of the following capabilities? to Add User to Group which created a template for the specific functionality in `amplify/backend/function//src/add-to-group.js.
I then pushed the function using amplify push. Sadly now when a new user gets confirmed it is not added to the wanted group. When checking the logs on that specific lambda i get the following errors:
xyzd1aPostConfirmation-dev is not authorized to perform: cognito-idp:GetGroup on resource …
xyzd1aPostConfirmation-dev is not authorized to perform: cognito-idp:CreateGroup on resource ...
Does anyone know why this is happening? Shouldn't the created IAM user have the correct permissions for the template file to work? How do i resolve this?
Edit: in the AWS webinterface the lambda has a existing role attached that satisfies the needed permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:GetGroup",
"cognito-idp:CreateGroup"
],
"Resource": "arn:aws:cognito-idp:eu-west-1:xyz:userpool/abc…",
"Effect": "Allow"
}
]
}
Thanks for any help in advance!
OK never mind. The errors somehow only happen when using the lambda test mode in the aws interface.
The Lambda Trigger does NOT trigger when you set up a user in the Cognito User Interface an go from FORCE_CHANGE_PASSWORD to CONFIRMED. It only triggers when you use the actual signUp API and go from UNCONFIRMED to CONFIRMED.