Why is my AWS assumed role not authorised to perform cognito-idp:AdminGetUser?
My Laravel application calls the AdminGetUser endpoint.
In the local environment, it successfully returns the resource.
After deploying to a Vapor environment, it fails with the following error message:
User: arn:aws:sts::xxxx:assumed-role/laravel-vapor-role/xxxx is not authorized to perform: **cognito-idp:AdminGetUser** on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx because no identity-based policy allows the cognito-idp:AdminGetUser action
What is the issue?
laravel-vapor-role is not authorized to perform: cognito-idp:AdminGetUser on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx
This means the laravel-vapor-role role does not have a suitable policy attached to provide it with permission to carry out the cognito-idp:AdminGetUser action.
You can fix this in 2 ways:
- Assign the AWS managed
AmazonCognitoReadOnlypolicy to the role - Add an inline policy to the role, in line with the security best practice of granting least privilege
If you anticipate more read-only permissions will be needed later on, it'll be much easier and better to just assign the AWS managed AmazonCognitoReadOnly policy to the role.
It will provides permissions for read-only access to your identity pools and user pools, including the cognito-idp:AdminGetUser permission that falls under cognito-idp:Get* (documentation here, direct policy link here):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:Describe*",
"cognito-identity:Get*",
"cognito-identity:List*",
"cognito-idp:Describe*",
"cognito-idp:AdminGet*",
"cognito-idp:AdminList*",
"cognito-idp:List*",
"cognito-idp:Get*",
"cognito-sync:Describe*",
"cognito-sync:Get*",
"cognito-sync:List*",
"iam:ListOpenIdConnectProviders",
"iam:ListRoles",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
If you only require the single permission of cognito-idp:AdminGetUser, then create & assign an inline policy to the role which only grants that permission for the specific Cognito User Pool.
The below images should be self-explanatory:
- Lambda Provisioned Concurrency showing 0 available. But I'm not using any
- Access the Alexa Shopping and To-Do Lists with Python3 request module
- Creating a schedule expression for eventbridge using terraform
- Terraform lambda source_code_hash update with same code
- Serverless / AWS Lambda - Create the triggers for the published lambda versions
- Invoking lambda from API gateway test, but hitting the endpoint does not invoke the lambda. 500 returned
- Importing LightGBM into AWS Lambda
- aws-encryption-sdk-python decrypt error: '65 is not a valid SerializationVersion'
- how to decrease the exceution time of aws lambda function nodejs
- Is it possible to use SSM parameters in environment variables for a lambda?
- AWS SAM CLI cannot access Dynamo DB when function is invoked locally
- Use a lambda to upload an S3 object to external API
- Simple way to put AWS Lambda app behind SAML authentication
- AWS Lambda - How to stop retries when there is a failure
- Handling an image/jpeg response from Lambda in API Gateway
- How I can safely check if file exists in S3 bucket using go in lambda?
- How to calculate the CodeSha256 of aws lambda deployment package before uploading
- Problems using MySQL with AWS Lambda in Python
- using AWS lambda-docker Error "lambda-entrypoint.sh: exec format error"
- Container image support for AWS Lambda via cloudformation
- How can I recover deleted AWS Lambda code?
- Cognito "Authorizer" element not appearing in RequestContext in a Lambda triggered via API Gateway
- AWS Lambda Custom JWT Validation
- Uploading File to S3 via Node.js SDK Resulting is Blank File
- Disable dynamoDB table
- How to limit the consuming rate from a topic?
- How to install Numpy and Pandas for AWS Lambdas?
- What be causing a "Network Failure" error when I try to add AWS Cognito authorization to my API Gateway?
- Retrieve custom tag values for later use in Lambda / Python 3.12 function
- AWS XRay with AWS SDK v3 for NodeJS