TechQA.

Disable User in Post Confirmation Trigger

649 views Asked by At

I have a user base with different types (user_type attribute will define the type). I want to disable users of certain type upon confirmation. i.e. flow: user signs up --> user receives confirmation email with code --> user enters code --> post confirmation trigger is called.

Here's my post confirmation trigger lambda:

import logging
import boto3

logger = logging.getLogger()
logger.setLevel(logging.INFO)

cognito_client = boto3.client('cognito-idp')

def lambda_handler(event, context):
    user_type =  event['request']['userAttributes'].get('user_type', '')
    logger.info(event)
    if user_type == 'TYPE1':
        response = cognito_client.admin_disable_user(
            UserPoolId=event['userPoolId'],
            Username=event['userName']
        )
        logger.info(response)
    return event

This returns the following error:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the AdminDisableUser operation: User: arn:aws:sts::<accound_id>:assumed-role/CognitoPostConfirmation-role-xxxxx/CognitoPostConfirmation is not authorized to perform: cognito-idp:AdminDisableUser on resource: arn:aws:cognito-idp:us-east-1:xxxxxx:userpool/us-east-1_xxxxxx

Is there a way to disable users of certain type in using a trigger? I also tried using pre signup, but the problem here is all the other types of users need to be automatically confirmed which is not what I want. I need normal users to receive confirmation emails and users of a certain type to either receive a confirmation and then be disabled or not be confirmed to begin with.

I would really appreciate any help with this

Thanks,

python aws-lambda amazon-cognito amazon-cognito-triggers
Original Q&A
1

There are 1 answers

0
lemming On BEST ANSWER

Every Lambda function has an execution role which it assumes in order to get the permissions that allows it to make all of the AWS API calls that it needs to.

From the error message, it looks like the Lambda function for your Post Confirmation Trigger has an execution role called CognitoPostConfirmation.

The error message is telling you that it doesn't have the correct permissions to run the cognito-idp:AdminDisableUser method that you are using to disable some of your users.

Therefore you should go to IAM and add a policy to the CognitoPostConfirmation role to allow your lambda function to use that API method:

{
    "Effect": "Allow",
    "Action": "cognito-idp:AdminDisableUser",
    "Resource": "arn:aws:cognito-idp:<your-aws-region>:<your-aws-account>:userpool/<your-userpool-id>"
}

Related Questions in PYTHON

Related Questions in AWS-LAMBDA

Related Questions in AMAZON-COGNITO

Related Questions in AMAZON-COGNITO-TRIGGERS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions