My Laravel application calls the AdminGetUser endpoint.
In the local environment, it successfully returns the resource.
After deploying to a Vapor environment, it fails with the following error message:
User: arn:aws:sts::xxxx:assumed-role/laravel-vapor-role/xxxx is not authorized to perform: **cognito-idp:AdminGetUser** on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx because no identity-based policy allows the cognito-idp:AdminGetUser action
What is the issue?
laravel-vapor-role is not authorized to perform: cognito-idp:AdminGetUser on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx
This means the laravel-vapor-role
role does not have a suitable policy attached to provide it with permission to carry out the cognito-idp:AdminGetUser
action.
You can fix this in 2 ways:
AmazonCognitoReadOnly
policy to the roleIf you anticipate more read-only permissions will be needed later on, it'll be much easier and better to just assign the AWS managed AmazonCognitoReadOnly
policy to the role.
It will provides permissions for read-only access to your identity pools and user pools, including the cognito-idp:AdminGetUser
permission that falls under cognito-idp:Get*
(documentation here, direct policy link here):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-identity:Describe*",
"cognito-identity:Get*",
"cognito-identity:List*",
"cognito-idp:Describe*",
"cognito-idp:AdminGet*",
"cognito-idp:AdminList*",
"cognito-idp:List*",
"cognito-idp:Get*",
"cognito-sync:Describe*",
"cognito-sync:Get*",
"cognito-sync:List*",
"iam:ListOpenIdConnectProviders",
"iam:ListRoles",
"sns:ListPlatformApplications"
],
"Resource": "*"
}
]
}
If you only require the single permission of cognito-idp:AdminGetUser
, then create & assign an inline policy to the role which only grants that permission for the specific Cognito User Pool.
The below images should be self-explanatory: