Lambda is not authorized to perform: cognito-idp:AdminInitiateAuth

Asked 27/10, 2020 at 20:12 Answered 3/12, 2022 at 15:6

Solved amazon-web-services aws-lambda aws-api-gateway amazon-cognito amazon-iam

I am following AWS Cognito and API Gateway tutorials from part1, part 2 and part 3.

From part 1, I created the following lambdas:

signup
confirm signup
forgot pwd
resend verify code
successful registration

and each of these lambdas has a separate role automatically generated for them.

From part 2, I connected these lambdas to various API endpoints in API Gateway, with the /login route being connected to the "successful registration" lambda.

From the part 3 tutorial, I created a refresh_access_token lambda function and also the test_user. Then, in the API Gateway, I created a new resource /user/test-user and added a GET method, which I connected to the test_user lambda. (The refresh_access_token isn't connected to a route).

After that, I go to the Create a New authorizer section from part 3, and when I run the /login route, I end up getting the following error:

HTTP/1.1 200 OK
Date: Tue, 27 Oct 2020 19:42:15 GMT
Content-Type: application/json
Content-Length: 423
Connection: close
x-amzn-RequestId: 86e522e3-1843-4c05-8d70-c6731c5f110f
x-amz-apigw-id: VFezhGcvFiAFqOQ=
X-Amzn-Trace-Id: Root=1-5f987816-65f557256f2ccd172032ff15;Sampled=0

{
  "message": "An error occurred (AccessDeniedException) when calling the AdminInitiateAuth operation: User: arn:aws:sts::xxxxxxxx:assumed-role/cognito-successful-registration-role-ck5hni20/cognito-successful-registration is not authorized to perform: cognito-idp:AdminInitiateAuth on resource: arn:aws:cognito-idp:eu-central-1:xxxxxxxx:userpool/eu-central-1_xxxx,
  "error": true,
  "success": false,
  "data": null
}

The cognito-successful-registration-role-ck5hni20 just has AWSBasicExecutionRole attached to it and the trust relationship looks as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

What is the mistake I am doing here?

Greybeard answered 27/10, 2020 at 20:12 Comment(1)

Add cognito-idp: AdminInitiateAuth action to your allow. – Derogative 27/10, 2020 at 22:35

Locate the role cognito-successful-registration-role-ck5hni20 in AWS console. Once you do this, you can add an inline policy to in the following form:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "cognito-idp:AdminInitiateAuth",
            "Resource": {
                 "AWS": "arn:aws:cognito-idp:eu-central-1:xxxxxxxx:userpool/eu-central-1_xxxx"
            }
        }
    ]
}

or use more general form:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "cognito-idp:AdminInitiateAuth",
            "Resource": "*"
        }
    ]
}

Valse answered 27/10, 2020 at 23:1 Comment(3)

Thanks a lot for your help. You're always a saviour :D. Just one question: can I change the action from cognito-idp:AdminInitiateAuth to cognito-idp:* to allow for all the actions? – Greybeard 28/10, 2020 at 6:30

accepted the answer :) For cognito-idp, is there a pre-existing policy that can be attached directly? If not, should a policy be created for it for future use? – Greybeard 28/10, 2020 at 6:42

@Junkrat There are existing policies such as AmazonCognitoPowerUser or AmazonCognitoDeveloperAuthenticatedIdentities and others, but you would have to inspect their permissions in AWS console to check if they are suited for your use-case. – Valse 28/10, 2020 at 6:50

For people who are new to AWS like this, here is a more detailed solution:

go to your lambda function
Under configuration, click permission, and then you'll see Execution role and the corresponding role name.
click on role name
then edit the permission and add a new inline policy, as suggested by @Marcin.
finally, click create policy

Bentlee answered 25/8, 2021 at 17:1 Comment(0)

I had a similar issue with AdminInitiateAuth, but mine was slightly different: Auth flow not enabled for this client.

I could not solve the issue with any kind of role, the problem was not with the function but with the Cognito client used in the login handler.

The solution was to go to the Cognito User Pool in the AWS Console, then to 'App clients' and to check the boxes for ALLOW_ADMIN_USER_PASSWORD_AUTH and ALLOW_USER_PASSWORD_AUTH

Octant answered 3/12, 2022 at 15:6 Comment(0)

Recommended topics

Hot tags