Cognito 用户池 Lambda 触发器权限答案

【问题标题】：Cognito User Pool Lambda Trigger permissionCognito 用户池 Lambda 触发器权限
【发布时间】：2021-05-20 15:12:06
【问题描述】：

我正在使用 Terraform 创建一个 Cognito 用户池。我想在用户注册时使用 lambda 函数发送自定义消息。当我尝试在客户端上注册时，我收到一条错误消息，提示“CustomMessage 调用因错误 AccessDeniedException 而失败。”我以前使用过 Lambda Permissions，但我找不到这种配置的任何示例。如何授予 lambda 函数权限？以下是我目前的配置。

resource "aws_cognito_user_pool" "main" {
  name = "${var.user_pool_name}_${var.stage}"
  username_attributes = [ "email" ]
  schema {
    attribute_data_type = "String"
    mutable             = true
    name                = "name"
    required            = true
  }
  schema {
    attribute_data_type = "String"
    mutable             = true
    name                = "email"
    required            = true
  }

  password_policy {
    minimum_length    = "8"
    require_lowercase = true
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
  }
  mfa_configuration        = "OFF"
  
  lambda_config {
    custom_message    = aws_lambda_function.custom_message.arn
    post_confirmation = aws_lambda_function.post_confirmation.arn
  }
}
...
resource "aws_lambda_permission" "get_blog" {
  statement_id  = "AllowExecutionFromCognito"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.custom_message.function_name
  principal     = "cognito-idp.amazonaws.com"
  source_arn    = "${aws_cognito_user_pool.main.arn}/*/*"
  depends_on = [ aws_lambda_function.custom_message ]
}
...
resource "aws_lambda_function" "custom_message" {
  filename         = "${var.custom_message_path}/${var.custom_message_file_name}.zip"
  function_name    = var.custom_message_file_name
  role             = aws_iam_role.custom_message.arn
  handler          = "${var.custom_message_file_name}.handler"
  source_code_hash = filebase64sha256("${var.custom_message_path}/${var.custom_message_file_name}.zip")
  runtime          = "nodejs12.x"
  timeout          = 10
  layers           = [ var.node_layer_arn ]
  environment {
    variables = {
      TABLE_NAME = var.table_name
      RESOURCENAME = "blogAuthCustomMessage"
      REGION = "us-west-2"
    }
  }
  tags = {
    Name = var.developer
  }
  depends_on = [
    data.archive_file.custom_message, 
  ]
}

【问题讨论】：

试试source_arn = aws_cognito_user_pool.main.arn
@jellycsc 效果很好。谢谢！
Np，我很高兴它有效。如果您觉得有用，请考虑在下面接受我的回答。

标签： amazon-web-services aws-lambda terraform amazon-cognito

【解决方案1】：

根据 OP 在评论部分的反馈，将aws_lambda_permission.get_blog 中的source_arn 属性更改为aws_cognito_user_pool.main.arn 有效。

【讨论】：