What is the user principal of a cognito preauth function?
When you have to give IAM permissions to a cognito preauth trigger, is the role you assign assumed by 'lambda.amazonaws.com' like any other lambda? Or are triggers run by the cognito service principle, 'cognito-idp.amazonaws.com' ?
I need to give my lambda permission to do dynamodb:GetItem on a specific table (by ARN) and it's not working. It might be not working for some other reason than this. I think the answer is it's still lambda.amazonaws.com but wanted to double check, mainly because I can't find what cognito-idp.amazonaws.com is used for.
- Mais recentes
- Mais votos
- Mais comentários
The Lambda Policy has a resource policy that allows it to be accessed by the Congito user pool in the form of:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": ",<Some SID>",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:<region>:<AWS Account>:function:<Lambda function name>",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cognito-idp:<region>:<AWS Account>:userpool/<User Pool ID>"
}
}
}
]
}
But the Lambda function still executes as lambda.amazonaws.com and must be authorized as such through the Lambda Execution Role associated to the Lambda function.
Ahhhh that's much clearer now. The lambda still runs as
lambda.amazonaws.combut you have to givecognito-idp.amazonaws.compermission to invoke it. Thanks very much for explaining!