Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cognito Construct: Add grant* methods

See original GitHub issue

As per, the UserPool construct should have grant* methods on it to give other resources (eg. lambda functions) access to various API/SDK methods.

Use Case

I want to be able to easily give my lambda functions access to call AWS API/SDK methods against my UserPool.

Proposed Solution




Based on:


  "Version": "2012-10-17",
  "Statement": [
      "Sid": "Stmt1585721272022",
      "Action": [
      "Effect": "Allow",
      "Resource": "arn:aws:cognito-idp:${userPool.stack.region}:${userPool.stack.account}:userpool/${userPool.userPoolId}"


import { UserPool } from '@aws-cdk/aws-cognito'
import { Effect, PolicyStatement } from '@aws-cdk/aws-iam'

// ..snip..

     * Lookup authentication UserPool
    const userPool = UserPool.fromUserPoolId(this, 'UserPool', userPoolId)

// ..snip..

      new PolicyStatement({
        effect: Effect.ALLOW,
        actions: [
          // etc
        resources: [


  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:31
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

AndrewG-wfcommented, May 25, 2022

Thanks for the workaround @0xdevalias, this was an incredibly frustrating issue to try and work through. After 2 years could this maybe get actioned?

ShivamJokercommented, Apr 8, 2022

Why this feature has not been added yet 😕 Even after paying people to write code seems like lot of work.

Now I will have to create a new IAM policy and pass it to lambda so that it can access my user pool.

It really sad @aws that these important features are not getting added even after years

Read more comments on GitHub >

github_iconTop Results From Across the Web

aws-cdk/aws-cognito module - AWS Documentation
Use the grant() method to add an IAM policy statement associated with the user pool to an IAM principal's policy. const userPool =...
Read more >
Amazon Cognito User Pools New Console Walkthrough
Amazon Cognito User Pools is a fully managed user directory service that allows you to add sign-in, sign-up and user management to web...
Read more >
Fine-grained Access Control with Amazon Cognito Identity Pools
An overview of how to implement fine-grained access control with Amazon Cognito Identity Pools and a demonstration of using attributes from ...
Read more >
CognitoIdentityProvider — Boto3 Docs 1.26.36 documentation
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the ......
Read more >
Part 1 : Securing AWS API Gateway using AWS Cognito ...
Select “ANY” and then “Actions > Delete Method” · Select “/OAuthAPITest” and then “Actions > Create Method”. Select “GET” and click the tick...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found