Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

lambda is not authorized to perform: cognito-idp:ListUsers

See original GitHub issue

What is the current behavior? I want to create a lambda function trigger PreSignUp and checks if there are other users already signed up using the same email.

here is my function:

'use strict';

const AWS = require('aws-sdk');
const cognitoIdp = new AWS.CognitoIdentityServiceProvider({apiVersion: '2016-04-18'});

exports.handler = function(event, context) {
  console.log(JSON.stringify(event));

  // check if email is already in use
  if (event.request.userAttributes.hasOwnProperty('email')) {
    const email = event.request.userAttributes.email;
    
    const params = {
      UserPoolId: event.userPoolId,
      Filter: 'email = "' + email + '"',
    };
    
    cognitoIdp.listUsers(params).promise()
    .then (results => {
      console.log(JSON.stringify(results));
      // if the usernames are the same, dont raise and error here so that
      // cognito will raise the duplicate username error
      if (results.Users.length > 0 && results.Users[0].Username !== event.userName) {
        console.log('Duplicate email address in signup. ' + email);
        context.done(Error('A user with the same email address exists'));
      }
      context.done(null, event);
    })
    .catch (error => {
      console.error(error);
      context.done(error);      
    });
  }
};

I used to get such error

lambda is not authorized to perform: cognito-idp:ListUsers

Do you have any suggestion and how to configure the IAM-lambda role. My current lambda role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Issue Analytics

State:
Created 5 years ago
Comments:7 (3 by maintainers)

Top GitHub Comments

5reactions

mrcolescommented, Dec 26, 2018

Thanks for the response. I was able to get it working in my AWS Amplify project. For anyone else who’s trying to figure it out…

List Users Permission

In an AWS Amplify project they auto-create a bunch of stuff for you and when you create a lambda function amplify add function it ends up in a directory like this:

./amplify/backend/function/<function_name>/

And there’s a Cloudformation file in that directory at <function_name>-cloudformation-template.json. Under Resources.lambdaexecutionpolicy.Properties.PolicyDocument.Statement, I was able to add this additional statement:

{
  "Effect": "Allow",
  "Action": ["cognito-idp:ListUsers"],
  "Resource": {
    "Fn::Sub": [
      "arn:aws:cognito-idp:${region}:${account}:*",
      {
        "region": {
          "Ref": "AWS::Region"
        },
        "account": {
          "Ref": "AWS::AccountId"
        },
        "lambda": {
          "Ref": "LambdaFunction"
        }
      }
    ]
  }
}

Error message in Hosted UI

Using the hosted UI and returning an error with the newer callback syntax, exports.handler = function(event, context, callback) { … }, and if I do callback(Error('a user with the same email address exists')), then I get the error message:

PreSignUp failed with error a user with the same email address exists.

However, with Social Signin, instead of showing the me error in the UI, it redirects me back to my app to a URL like this:

https://localhost:1234/auth/signin?error_description=PreSignUp+failed+with+error+a+user+with+the+same+email+address+exists.+&error=invalid_request

and I have to handle that in my UI I suppose.

This isn’t ideal, but it’s something workable. Also, I’m flabbergasted that there’s no option to have Cognito pools make emails case-insensitive.

0reactions

github-actions[bot]commented, Mar 30, 2022

This issue has been automatically locked since there hasn’t been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

Top Results From Across the Web

Troubleshooting Amazon Cognito identity and access

If you receive an error that you're not authorized to perform the iam:PassRole action, your policies must be updated to allow you to...

Aws Lambda - User Is Not Authorized To Perform: Cognito-Idp ...

Go to IAM console Policies Create Policy. Choose Cognito User Pools Services. Specify the desired actions for which you need permission. Aws account...

IAM Actions defined by Amazon Cognito User Pools

Action Description Acces... cognito‑idp:AdminAddUserToGroup Grants permission to add any user to any group. Write cognito‑idp:AdminDeleteUser Grants permission to delete any user. Write cognito‑idp:AdminDisableUser Grants permission to...

serverless/serverless - Gitter

Keep in mind the, that the Lambda/user has to have the appropriate iam policy in order to do that check the cognito-idp: actions....

IAM role (resource) for accessing cognito group info

... Cognito such as accessing user's information like email, user id and ... “is not authorized to perform: cognito-idp:ListUsers on resource:”…