当我尝试使用AWS Cognito登录时，我收到有关自定义Lambda触发器的AccessDeniedException [英] When I try to login using AWS Cognito I get an AccessDeniedException about my custom Lambda trigger

问题描述

我正在调用adminInitiateAuth并为自己的lambda返回一个奇怪的AccessDeniedException。

I am calling adminInitiateAuth and getting back a strange AccessDeniedException for my own lambdas.

这是我正在调用的代码：

Here is the code I'm calling:

      var params = {
        AuthFlow: "ADMIN_NO_SRP_AUTH",
        ClientId: "@cognito_client_id@",
        UserPoolId: "@cognito_pool_id@",
        AuthParameters: {
          USERNAME : username,
          PASSWORD : tempPassword
        },
      };
      cognitoIdentityServiceProvider.adminInitiateAuth(params, function(error, data) {
        if (error) {
          console.log("ERROR! Login failed: " + JSON.stringify(error), error.stack);
        } else {
          console.log("Login sent back: " + JSON.stringify(data));
        }
      });

我收到的错误消息是：

ERROR! Login failed: {"message":"arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.","code":"UnexpectedLambdaException","time":"2017-02-25T18:54:15.109Z","requestId":"ce42833f-fb8b-11e6-929b-2f78b63faa12","statusCode":400,"retryable":false,"retryDelay":1.0853444458916783} UnexpectedLambdaException: arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.

有人知道为什么我会遇到这个错误吗？

Does anybody know why I might be getting this error?

推荐答案

之所以发生这种情况，是因为我重新创建了API Gateway& Lambdas（使用无服务器），事实证明，当通过控制台作为触发器添加时，Cognito控制台会偷偷添加权限以联系给定的Lambda函数。

This was happening because I recreated my API Gateway & Lambdas (using serverless) and it turns out that the Cognito console sneakily adds permissions to contact a given Lambda function when added as a trigger through the console.

要在您的CloudFormation / serverless.yml文件中解决此问题：

resources:
  Resources:
    OnCognitoSignupPermission:
      Type: 'AWS::Lambda::Permission'
      Properties:
        Action: "lambda:InvokeFunction"
        FunctionName:
          Fn::GetAtt: [ "UsersUnderscoreonCognitoSignupLambdaFunction", "Arn"]
        Principal: "cognito-idp.amazonaws.com"
        SourceArn:
          Fn::Join: [ "", [ "arn:aws:cognito-idp", ":", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":", "userpool/", "@cognito_pool_id@" ] ]

---

要在AWS控制台中解决此问题：

• 转到Cognito控制台


• 选择您的用户池


• 转到触发器


• 删除自定义触发器（将其设置为无），然后单击保存


• 现在将其重置，然后再次单击保存

• Go to the Cognito Console
• Choose your user pool
• Go to "Triggers"
• Remove your custom trigger (set it to None) and click "Save"
• Now reset it back and click "Save" again

这里是一篇有趣的亚马逊论坛帖子，使我走上了正轨。

Here's an interesting Amazon forum post that led me down the right track.

这篇关于当我尝试使用AWS Cognito登录时，我收到有关自定义Lambda触发器的AccessDeniedException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！