设置 Lambda IAM 策略以访问 Cognito

Question

在注册新的 Cognito 用户之前，我创建了一个 lambda 来检查自定义逻辑。在为此 lambda 创建 IAM 策略时，我应该在这里使用什么正确的“操作”和“资源”？

我正在关注本指南：https://medium.com/@earlg3/using-lambda-aws-cognito-triggers-to-only-allow-auto-verification-to-specific-domain-db2efea79c44

拉姆达

exports.handler = function(event, context) {
    
    // Configure the email domain that will be allowed to automatically verify.
    var approvedDomain = "approveddomain.com";
    
    // Log the event information for debugging purposes.
    console.log('Received event:', JSON.stringify(event, null, 2));if (event.request.userAttributes.email.includes('@' + approvedDomain)) {
        console.log ("This is an approved email address. Proceeding to send verification email.");
        event.response.emailSubject = "Signup Verification Code";
        event.response.emailMessage = "Thank you for signing up. " + event.request.codeParameter + " is your verification code.";
        context.done(null, event);
    } else {
        console.log ("This is not an approved email address. Throwing error.");
        var error = new Error('EMAIL_DOMAIN_ERR');
        context.done(error, event);
   }};

到目前为止我的最佳猜测：

{
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaSignUp",
            "Effect": "Allow",
            "Action": [
                "cognito-sync:*",
                "cognito-idp:*",
            ],
            "Resource": "arn:aws:cognito-idp:REGION:ACCOUNT_ID:userpool/USER_POOL_ID"
        }
    ]
}

Answer 1

想通了 - 事实证明不需要特殊的 IAM 策略，因为您会从 Cognito 的 AWS 控制台指向这个 lambda。

1. 保留默认 IAM 策略（基本策略将包括日志权限）
2. 转到用户池 > 您的池名称 > 触发器。在“自定义消息”下，选择您的 lambda。

就是这样！

注意上面的 lambda：如果要测试它，请确保在测试事件中包含 request 和 UserAttributes 键：

{
  "request": {
    "userAttributes": {
      "email": "hello@test.com"
    }
  },
  "response": {}
}