I am working with the Serverless Framework in my approach to Authentication. My goal is to create an API endpoint that triggers (via AWS API Gateway) a Lambda Function that creates a new AWS Cognito user. The endpoint will have a custom authorizer to protect it.
My Lambda function is below. When it's run, I receive the error "NotAuthorizedException: SignUp is not permitted for this user pool". Any thought on how to authorize my Lambda function to create a new user?
'use strict';
var AmazonCognitoIdentity = require('amazon-cognito-identity-js');
var CognitoUserPool = AmazonCognitoIdentity.CognitoUserPool;
var CognitoUserAttribute = AmazonCognitoIdentity.CognitoUserAttribute;
module.exports.init = (event, context, callback) => {
console.log('Lambda initiated with event:',event);
// Define AWS Cognito User Pool
var poolData = {
"UserPoolId": process.env['COGNITO_USER_POOL_ID'],
"ClientId": process.env['COGNITO_APP_CLIENT_ID']
};
var userPool = new CognitoUserPool(poolData);
console.log('userPool:',userPool);
// Define User Attributes
var attributeList = [];
var dataEmail = {
"Name": "email",
"Value": "email@example.com"
};
var attributeEmail = new CognitoUserAttribute(dataEmail);
attributeList.push(attributeEmail);
console.log('attributeList:',attributeList);
// Create User via AWS Cognito
userPool.signUp('username', 'password', attributeList, null, function(err, result) {
if(err) {
console.log('err:',err);
callback(err,null);
} else {
console.log('result:',result);
cognitoUser = result.user;
console.log('user name is ' + cognitoUser.getUsername());
callback(null,result);
}
});
};
"NotAuthorizedException: SignUp is not permitted for this user pool" exception is thrown when the user pool only allows administrators to create the users via the AdminCreateUser API. With this setting enabled, SignUp API cannot be called and will throw this error.
If you are calling this from a lambda trigger you can use AdminCreateUser API or disable this setting so your user pool allows SignUp API calls.