When I try to login using AWS Cognito I get an AccessDeniedException about my custom Lambda trigger
Solution 1
This was happening because I recreated my API Gateway & Lambdas (using serverless) and it turns out that the Cognito console sneakily adds permissions to contact a given Lambda function when added as a trigger through the console.
To fix this in your CloudFormation / serverless.yml file:
resources:
Resources:
OnCognitoSignupPermission:
Type: 'AWS::Lambda::Permission'
Properties:
Action: "lambda:InvokeFunction"
FunctionName:
Fn::GetAtt: [ "UsersUnderscoreonCognitoSignupLambdaFunction", "Arn"]
Principal: "cognito-idp.amazonaws.com"
SourceArn:
Fn::Join: [ "", [ "arn:aws:cognito-idp", ":", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":", "userpool/", "@cognito_pool_id@" ] ]
To fix this in the AWS console:
- Go to the Cognito Console
- Choose your user pool
- Go to "Triggers"
- Remove your custom trigger (set it to None) and click "Save"
- Now reset it back and click "Save" again
Here's an interesting Amazon forum post that led me down the right track.
Solution 2
I had a problem similar to yours except I was trying to configure the Lambda with my Cognito User Pool through CloudFormation.
In the link that Ryan had posted there was a code sample someone posted. Namely Cognito needed the proper permissions to invoke the lambda function.
MyLambdaInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt MyLambdaFunctionName.Arn
Principal: cognito-idp.amazonaws.com
SourceArn: !GetAtt MyCognitoUserPoolName.Arn
Solution 3
For someone ending up here, trying to add cognito triggers via terraform, all you need to do is to add an aws_lambda_permission resource:
resource "aws_lambda_permission" "allow_execution_from_user_pool" {
statement_id = "AllowExecutionFromUserPool"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.<lambda>.function_name
principal = "cognito-idp.amazonaws.com"
source_arn = aws_cognito_user_pool.<pool>.arn
}
Found in this great post: https://www.integralist.co.uk/posts/cognito/
Ryan Shillington
This is my next start-up. I'm very excited about it: QbDVision by CherryCircle Software, Inc. Find me on LinkedIn: https://www.linkedin.com/in/ryanshillington/
Updated on June 06, 2022Comments
-
Ryan Shillington almost 2 years
I am calling adminInitiateAuth and getting back a strange AccessDeniedException for my own lambdas.
Here is the code I'm calling:
var params = { AuthFlow: "ADMIN_NO_SRP_AUTH", ClientId: "@cognito_client_id@", UserPoolId: "@cognito_pool_id@", AuthParameters: { USERNAME : username, PASSWORD : tempPassword }, }; cognitoIdentityServiceProvider.adminInitiateAuth(params, function(error, data) { if (error) { console.log("ERROR! Login failed: " + JSON.stringify(error), error.stack); } else { console.log("Login sent back: " + JSON.stringify(data)); } });
The error message I'm getting is:
ERROR! Login failed: {"message":"arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.","code":"UnexpectedLambdaException","time":"2017-02-25T18:54:15.109Z","requestId":"ce42833f-fb8b-11e6-929b-2f78b63faa12","statusCode":400,"retryable":false,"retryDelay":1.0853444458916783} UnexpectedLambdaException: arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.
Does anybody know why I might be getting this error?
-
Nirojan Selvanathan over 5 yearsThanks, Saved my Day !
-
wascou over 5 yearsThanks, this was what was missing.
-
Adam B over 5 yearsYou, good sir, have saved my sanity today! Had done exactly the same (i.e. using serverless) and this fixed it.
-
Prince Antony P over 5 yearsWorked like charm,...Thank you
-
Ciryon over 5 yearsThis is crazy. Also, the drift detection feature for Cloud Formation templates cannot see any difference after re-saving the trigger.
-
DenisH over 5 yearsYup it took me ages to get to the same conclusion. Just add the permission under
Resources
. I set the SourceArn toarn:aws:cognito-idp:<your region>:<your account>:userpool/*
so as to give access to all our pools. -
Ryan Shillington over 5 yearsI updated my answer to include the changes we made to get it working in CloudFormation. Kudos to @shanewwarren's answer below (although honestly we'd figured it out a few months before he posted his answer).
-
Randy L about 5 yearsI agree with @Ciryon this IS crazy and AWS apparently hates its customers.
-
Randy L about 5 yearsIf anybody else is setting Cognito up using Terraform, there's an open issue around the lambda permissions.
-
Ciryon almost 5 years@the0ther I wonder if AWS scans Stack Overflow with sentiment analysis and picks up comments like ours. :)
-
David Ben Ari over 4 yearsHey you all, I get this error after deploying the cloud formation with amplify-cli, I have tried to add this kind of permission all sorts of places and in many other formats as well, they never where deployed. does anyone know in which cloud formation template and where exactly should this permission be placed to be deployed successfully ?
-
David Ben Ari over 4 yearsHey you all, I get this error after deploying the cloud formation with amplify-cli, I have tried to add this kind of permission all sorts of places and in many other formats as well, they never where deployed. does anyone know in which cloud formation template and where exactly should this permission be placed to be deployed successfully ?
-
C.K Munn over 4 yearsYou sir are nothing short of a gee nee uss. Just to add I used FunctionName: "my-function-name" without the .Arn
-
snehanshu.js almost 4 yearsAlthough my solution was different, still, you're such a lifesaver!
-
badfun over 3 yearsStill relevant. The documentation is really confusing around Cognito triggers. thanks!
-
Emil Styrke almost 3 yearsThis error is completely unrelated to the OP - it indicates that the user running cloudformation does not have access to create the Cognito User Pool.
-
fmquaglia almost 3 yearsSir, if I could upvote this answer twice, I would do it. Stumbled with the same problem like 1 year after I upvoted it and here I am, giving you again my appreciation. thanks a lot, again!