当我尝试使用AWS Cognito登录时,我收到有关自定义Lambda触发器的AccessDeniedException [英] When I try to login using AWS Cognito I get an AccessDeniedException about my custom Lambda trigger
问题描述
我正在调用adminInitiateAuth并为自己的lambda返回一个奇怪的AccessDeniedException。
I am calling adminInitiateAuth and getting back a strange AccessDeniedException for my own lambdas.
这是我正在调用的代码:
Here is the code I'm calling:
var params = {
AuthFlow: "ADMIN_NO_SRP_AUTH",
ClientId: "@cognito_client_id@",
UserPoolId: "@cognito_pool_id@",
AuthParameters: {
USERNAME : username,
PASSWORD : tempPassword
},
};
cognitoIdentityServiceProvider.adminInitiateAuth(params, function(error, data) {
if (error) {
console.log("ERROR! Login failed: " + JSON.stringify(error), error.stack);
} else {
console.log("Login sent back: " + JSON.stringify(data));
}
});
我收到的错误消息是:
ERROR! Login failed: {"message":"arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.","code":"UnexpectedLambdaException","time":"2017-02-25T18:54:15.109Z","requestId":"ce42833f-fb8b-11e6-929b-2f78b63faa12","statusCode":400,"retryable":false,"retryDelay":1.0853444458916783} UnexpectedLambdaException: arn:aws:lambda:us-east-1:201473124518:function:main-devryan-users_onCognitoLogin failed with error AccessDeniedException.
有人知道为什么我会遇到这个错误吗?
Does anybody know why I might be getting this error?
推荐答案
之所以发生这种情况,是因为我重新创建了API Gateway& Lambdas(使用无服务器),事实证明,当通过控制台作为触发器添加时,Cognito控制台会偷偷添加权限以联系给定的Lambda函数。
This was happening because I recreated my API Gateway & Lambdas (using serverless) and it turns out that the Cognito console sneakily adds permissions to contact a given Lambda function when added as a trigger through the console.
要在您的CloudFormation / serverless.yml文件中解决此问题:
resources:
Resources:
OnCognitoSignupPermission:
Type: 'AWS::Lambda::Permission'
Properties:
Action: "lambda:InvokeFunction"
FunctionName:
Fn::GetAtt: [ "UsersUnderscoreonCognitoSignupLambdaFunction", "Arn"]
Principal: "cognito-idp.amazonaws.com"
SourceArn:
Fn::Join: [ "", [ "arn:aws:cognito-idp", ":", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":", "userpool/", "@cognito_pool_id@" ] ]
要在AWS控制台中解决此问题:
- 转到Cognito控制台
- 选择您的用户池
- 转到触发器
- 删除自定义触发器(将其设置为无),然后单击保存
- 现在将其重置,然后再次单击保存
- Go to the Cognito Console
- Choose your user pool
- Go to "Triggers"
- Remove your custom trigger (set it to None) and click "Save"
- Now reset it back and click "Save" again
这里是一篇有趣的亚马逊论坛帖子,使我走上了正轨。
Here's an interesting Amazon forum post that led me down the right track.
这篇关于当我尝试使用AWS Cognito登录时,我收到有关自定义Lambda触发器的AccessDeniedException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!