Amazon web services lambda-用户无权执行:cognito idp:ListUsers
在Lambda中测试期间,当我试图获取用户池中的所有用户时,我遇到了以下错误Amazon web services lambda-用户无权执行:cognito idp:ListUsers,amazon-web-services,aws-lambda,amazon-iam,Amazon Web Services,Aws Lambda,Amazon Iam,在Lambda中测试期间,当我试图获取用户池中的所有用户时,我遇到了以下错误 "errorType": "AccessDeniedException", "errorMessage": "User: arn:aws:iam::123456789:user/xxxxx is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:iam::123456789:user/xxxxx is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abcdefg",
我的lambda代码:
var AWS = require('aws-sdk');
exports.handler = () => {
var params = {
UserPoolId: 'us-west-2_abcdefg',
}
return new Promise((resolve, reject) => {
AWS.config.update({ region: 'us-west-2', 'accessKeyId': 'accesskey', 'secretAccessKey': 'secretkey' });
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
cognitoidentityserviceprovider.listUsers(params, (err, data) => {
if (err) {
console.log(err);
reject(err)
}
else {
console.log("data", data);
resolve(data)
}
})
});
};
我试图在IAM中添加内联策略,但仍然出现相同错误:
Lambda IAM角色
我知道我应该为策略更新json,但是有人能提供更新json策略的详细步骤吗?您的错误
cognito idp:ListUsers
是关于进入用户池的,而不是cognito用户身份。因此,你的政策应该是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cognito-idp:ListUsers",
"Resource": "*"
}
]
}
解决方案对我有效: 步骤:1 我已经从IAM控制台用下面的json创建了一个新策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-identity:MergeDeveloperIdentities",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:ListIdentityPools",
"cognito-identity:CreateIdentityPool",
"cognito-identity:ListIdentities",
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"cognito-identity:GetOpenIdToken",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-identity:GetId",
"cognito-identity:LookupDeveloperIdentity",
"cognito-identity:UnlinkDeveloperIdentity",
"cognito-identity:ListTagsForResource",
"cognito-identity:UpdateIdentityPool",
"cognito-identity:UnlinkIdentity",
"cognito-identity:DescribeIdentity",
"cognito-identity:GetCredentialsForIdentity"
],
"Resource": "*"
}
]
}
步骤:2将策略添加到ecsInstanceRole这只是一个权限问题。请按照以下步骤操作: I.创建策略(用于许可)
问题已解决。对于遇到相同错误的其他人,请注意,您应该为用户而不是角色添加策略,因为问题是由于用户权限而不是lambda函数的角色造成的