Search code examples
pythonaws-lambdaamazon-cognitoamazon-cognito-triggers

Disable User in Post Confirmation Trigger

I have a user base with different types (user_type attribute will define the type). I want to disable users of certain type upon confirmation. i.e. flow: user signs up --> user receives confirmation email with code --> user enters code --> post confirmation trigger is called.

Here's my post confirmation trigger lambda:

import logging
import boto3

logger = logging.getLogger()
logger.setLevel(logging.INFO)

cognito_client = boto3.client('cognito-idp')

def lambda_handler(event, context):
    user_type =  event['request']['userAttributes'].get('user_type', '')
    logger.info(event)
    if user_type == 'TYPE1':
        response = cognito_client.admin_disable_user(
            UserPoolId=event['userPoolId'],
            Username=event['userName']
        )
        logger.info(response)
    return event

This returns the following error:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the AdminDisableUser operation: User: arn:aws:sts::<accound_id>:assumed-role/CognitoPostConfirmation-role-xxxxx/CognitoPostConfirmation is not authorized to perform: cognito-idp:AdminDisableUser on resource: arn:aws:cognito-idp:us-east-1:xxxxxx:userpool/us-east-1_xxxxxx

Is there a way to disable users of certain type in using a trigger? I also tried using pre signup, but the problem here is all the other types of users need to be automatically confirmed which is not what I want. I need normal users to receive confirmation emails and users of a certain type to either receive a confirmation and then be disabled or not be confirmed to begin with.

I would really appreciate any help with this

Thanks,

Solution

  • Every Lambda function has an execution role which it assumes in order to get the permissions that allows it to make all of the AWS API calls that it needs to.

    From the error message, it looks like the Lambda function for your Post Confirmation Trigger has an execution role called CognitoPostConfirmation.

    The error message is telling you that it doesn't have the correct permissions to run the cognito-idp:AdminDisableUser method that you are using to disable some of your users.

    Therefore you should go to IAM and add a policy to the CognitoPostConfirmation role to allow your lambda function to use that API method:

    {
    "Effect": "Allow",
    "Action": "cognito-idp:AdminDisableUser",
    "Resource": "arn:aws:cognito-idp:<your-aws-region>:<your-aws-account>:userpool/<your-userpool-id>"
}