When I try to login using AWS Cognito I get an AccessDeniedException about my custom Lambda trigger

Question

I am calling adminInitiateAuth and getting back a strange AccessDeniedException for my own lambdas.

Here is the code I\'m calling:

      var params = {         


        

Answer 1

This was happening because I recreated my API Gateway & Lambdas (using serverless) and it turns out that the Cognito console sneakily adds permissions to contact a given Lambda function when added as a trigger through the console.

---

To fix this in your CloudFormation / serverless.yml file:

resources:
  Resources:
    OnCognitoSignupPermission:
      Type: 'AWS::Lambda::Permission'
      Properties:
        Action: "lambda:InvokeFunction"
        FunctionName:
          Fn::GetAtt: [ "UsersUnderscoreonCognitoSignupLambdaFunction", "Arn"]
        Principal: "cognito-idp.amazonaws.com"
        SourceArn:
          Fn::Join: [ "", [ "arn:aws:cognito-idp", ":", Ref: "AWS::Region", ":", Ref: "AWS::AccountId", ":", "userpool/", "@cognito_pool_id@" ] ]

---

To fix this in the AWS console:

• Go to the Cognito Console
• Choose your user pool
• Go to "Triggers"
• Remove your custom trigger (set it to None) and click "Save"
• Now reset it back and click "Save" again

Here's an interesting Amazon forum post that led me down the right track.