Search code examples
amazon-web-servicesaws-lambdaaws-api-gatewayamazon-cognitoamazon-iam

Lambda is not authorized to perform: cognito-idp:AdminInitiateAuth

I am following AWS Cognito and API Gateway tutorials from part1, part 2 and part 3.

From part 1, I created the following lambdas:

  1. signup
  2. confirm signup
  3. forgot pwd
  4. resend verify code
  5. successful registration

and each of these lambdas has a separate role automatically generated for them.

From part 2, I connected these lambdas to various API endpoints in API Gateway, with the /login route being connected to the "successful registration" lambda.

From the part 3 tutorial, I created a refresh_access_token lambda function and also the test_user. Then, in the API Gateway, I created a new resource /user/test-user and added a GET method, which I connected to the test_user lambda. (The refresh_access_token isn't connected to a route).

After that, I go to the Create a New authorizer section from part 3, and when I run the /login route, I end up getting the following error:

HTTP/1.1 200 OK
Date: Tue, 27 Oct 2020 19:42:15 GMT
Content-Type: application/json
Content-Length: 423
Connection: close
x-amzn-RequestId: 86e522e3-1843-4c05-8d70-c6731c5f110f
x-amz-apigw-id: VFezhGcvFiAFqOQ=
X-Amzn-Trace-Id: Root=1-5f987816-65f557256f2ccd172032ff15;Sampled=0

{
  "message": "An error occurred (AccessDeniedException) when calling the AdminInitiateAuth operation: User: arn:aws:sts::xxxxxxxx:assumed-role/cognito-successful-registration-role-ck5hni20/cognito-successful-registration is not authorized to perform: cognito-idp:AdminInitiateAuth on resource: arn:aws:cognito-idp:eu-central-1:xxxxxxxx:userpool/eu-central-1_xxxx,
  "error": true,
  "success": false,
  "data": null
}

The cognito-successful-registration-role-ck5hni20 just has AWSBasicExecutionRole attached to it and the trust relationship looks as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

What is the mistake I am doing here?

Solution

  • Locate the role cognito-successful-registration-role-ck5hni20 in AWS console. Once you do this, you can add an inline policy to in the following form:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "cognito-idp:AdminInitiateAuth",
            "Resource": {
                 "AWS": "arn:aws:cognito-idp:eu-central-1:xxxxxxxx:userpool/eu-central-1_xxxx"
            }
        }
    ]
}

    or use more general form:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "cognito-idp:AdminInitiateAuth",
            "Resource": "*"
        }
    ]
}