Lambda is not authorized to perform: cognito-idp:AdminInitiateAuth - amazon-web-services

I am following AWS Cognito and API Gateway tutorials from part1, part 2 and part 3.
From part 1, I created the following lambdas:
signup
confirm signup
forgot pwd
resend verify code
successful registration
and each of these lambdas has a separate role automatically generated for them.
From part 2, I connected these lambdas to various API endpoints in API Gateway, with the /login route being connected to the "successful registration" lambda.
From the part 3 tutorial, I created a refresh_access_token lambda function and also the test_user. Then, in the API Gateway, I created a new resource /user/test-user and added a GET method, which I connected to the test_user lambda. (The refresh_access_token isn't connected to a route).
After that, I go to the Create a New authorizer section from part 3, and when I run the /login route, I end up getting the following error:
HTTP/1.1 200 OK
Date: Tue, 27 Oct 2020 19:42:15 GMT
Content-Type: application/json
Content-Length: 423
Connection: close
x-amzn-RequestId: 86e522e3-1843-4c05-8d70-c6731c5f110f
x-amz-apigw-id: VFezhGcvFiAFqOQ=
X-Amzn-Trace-Id: Root=1-5f987816-65f557256f2ccd172032ff15;Sampled=0
{
"message": "An error occurred (AccessDeniedException) when calling the AdminInitiateAuth operation: User: arn:aws:sts::xxxxxxxx:assumed-role/cognito-successful-registration-role-ck5hni20/cognito-successful-registration is not authorized to perform: cognito-idp:AdminInitiateAuth on resource: arn:aws:cognito-idp:eu-central-1:xxxxxxxx:userpool/eu-central-1_xxxx,
"error": true,
"success": false,
"data": null
}
The cognito-successful-registration-role-ck5hni20 just has AWSBasicExecutionRole attached to it and the trust relationship looks as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
What is the mistake I am doing here?

Locate the role cognito-successful-registration-role-ck5hni20 in AWS console. Once you do this, you can add an inline policy to in the following form:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cognito-idp:AdminInitiateAuth",
"Resource": {
"AWS": "arn:aws:cognito-idp:eu-central-1:xxxxxxxx:userpool/eu-central-1_xxxx"
}
}
]
}
or use more general form:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "cognito-idp:AdminInitiateAuth",
"Resource": "*"
}
]
}

For people who are new to AWS like this, here is a more detailed solution:
go to your lambda function
Under configuration, click permission, and then you'll see Execution role and the corresponding role name.
click on role name
then edit the permission and add a new inline policy, as suggested by #Marcin.
finally, click create policy

I had a similar issue with AdminInitiateAuth, but mine was slightly different: Auth flow not enabled for this client.
I could not solve the issue with any kind of role, the problem was not with the function but with the Cognito client used in the login handler.
The solution was to go to the Cognito User Pool in the AWS Console, then to 'App clients' and to check the boxes for ALLOW_ADMIN_USER_PASSWORD_AUTH and ALLOW_USER_PASSWORD_AUTH

Related

AWS IAM user credential always authenticated as anonymous

I am creating a simple API Gateway and trying to apply its auth. I created an IAM user (called postman-user) and created its credential (as AccessKeyId and SecretAccessKey).
My IAM User policy is like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:*",
"Resource": "*"
}
]
}
and in my api gateway I applied the resource policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<my account id>:root",
"arn:aws:iam::<my account id>:user/postman-user"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<my account id>:<my api g id>/*"
}
]
}
I applied the key id and secret key id in postman:
enter image description here
then the problem comes. no matter how I call the api endpoint using aws credential of this IAM user, I always got this error:
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
I thought it was postman failed to sign this AWS sigV4, then I tried this in python:
url = 'https://<apig id>.execute-api.us-west-2.amazonaws.com/beta/query/'
auth = AWSRequestsAuth( aws_access_key='<my key id>',
aws_secret_access_key='<my secret key>',
aws_host='ec2.amazonaws.com',
aws_region='us-west-2',
aws_service='api')
response = requests.get(url, auth=auth)
This error is just forever for me
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
Anyone can tell me what I missed ? I clicked on deployAPI in resource to stage beta 100 times ...
tried python, tried postman, nothing works
it sounds like there is something missing on the api plane. It may be the you havent configured IAM auth right on the http method you try to use. I may also be that the resource policy is not attached to the api gateway. Note if the policy is updated and reattached you need to redeploy the api gateway.
Link:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html
This is an API Gateway config issue:
Resources -> click on the method -> Method Request -> Authorization: it used to be None, changing to to AWS IAM made this work.

AWS SNS: Edit text messaging preferences

I am trying to enable SMS message delivery logs in AWS SNS. But no matter what I do I get this error:
Couldn't set text messaging attributes. Error code: AuthorizationError
- Error message: You are not authorized to perform actions for the provided bucket
I have tried numerous IAM roles (including admin access role) and I am logged in as the root account owner.
What might I be missing? What can I try?
Thank you!
I found this specific documentation that solved it for me: https://docs.aws.amazon.com/sns/latest/dg/sms_stats_usage.html#example_bucket_policy
The key is that the bucket policy needs to list sns.amazonaws.com as the principal, and really only needs to allow these 3 actions to finish configuring SMS:
s3:GetBucketLocation
s3:ListBucket
s3:PutObject
{
"Version": "2012-10-17",
"Id": "Policy1653549854620",
"Statement": [
{
"Sid": "Stmt1653549853470",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKETNAME"
}
]
}

Access CloudSearch from API Gateway only

I would like to access CloudSearch only from API Gateway, because I don't like the idea of having public access to my CloudSearch endpoint. I tried adding an access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::*********:user/admin"
},
"Action": [
"cloudsearch:search",
"cloudsearch:suggest"
]
}
]
}
When I try to access the CloudSearch endpoint from my browser I get User: anonymous is not authorized to perform: cloudsearch:search.
API Gateway gets "Request forbidden by administrative rules".
My API Gateway endpoint is HTTP GET and the URI is set to my cloudsearch endpoint. Am I doing things correctly? How do people set this up usually, it's my first time using both services. I'm using CloudSearch for an autocomplete input field on a website.
You also need to setup the Trust Relationship on your IAM role that API Gateway is using, otherwise it will not be able to assume the role. Check the docs here under 'Prerequisites'
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
Also make sure you enable CORS in your API or that can throw an error as well.

How to configure AWS API Gateway to access it from another AWS account

I want to give access to IAM users from other accounts to be able to invoke my API.
I have these configurations in my API Gateway resource methods:
Authorization type: AWS_IAM (I tried with Auth type None as well..)
And Resource Policy defined as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_2>:user/ApiUser"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>/*/*/*"
}
]
}
I have also given invoke permissions to the IAM user of the other account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>:test/GET/*"
}
]
}
I have deployed the API to a stage named test.
Still, I see the below error when I invoke the API with the credentials from the other account's user:
{
"message": "User: arn:aws:iam::<ACCOUNT_2>:user/ApiUser is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-<ACCOUNT_1>:<API_ID>/test/GET/foo/bar"
}
What am I missing here?
I followed this guide:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html
This has bitten me before, and may be your issue too.
After you SAVE your resource policy, you must ALSO deploy your API.
In the menu on the left, click up one level
Then under ACTIONS, select DEPLOY API

aws policy variable ${aws:username} returning error not authorized

I have followed the docs at aws http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html
and the question at Can an aws IAM policy dynamically refer to the logged in username?
to create a policy for a user to list his own credentials under web console/users so he can generate his own keys.
user/Alpha
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action":["iam:*"],
"Resource":["arn:aws:iam::{myacctnumber}:user/${aws:username}"]
}
]
}
when I attach the the policy to user/Alpha, then open a new browser and log in as user Alpha > console > users, I get the error message
We encountered the following errors while processing your request
X User: arn:aws:iam::{myacctnumber}:user/Alpha is not authorized to perform: iam ListUsers on resource: arn:aws:iam::{myacctnumber}:user/
note the user/ is not displaying the friendly name as would be expected from ${aws:username}.
I have also tried changing the policy to
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action":["iam:*"],
"Resource":["arn:aws:iam::{myacctnumber}:user/Alpha"]
}
]
}
but the same error displays.
If I make one further change to the resource and make it a wildcard,
"Resource":["arn:aws:iam::{myacctnumber}:user/*"]
the full user list is displayed to to the user Alpha
Do I need extra permissions to allow a user to see only themselves?
thx
Art
The console, when displaying a list of users, uses the iam:ListUsers API call. This call cannot be restricted by resource.
Therefore, the console will function correctly if you provide a policies that permits the ListUsers call, eg:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers"
],
"Resource": [
"*"
]
}
]
}
The only other way for the user to update their own settings would be via the AWS Command-Line Interface (CLI) or an API call, since they can avoid the need to call ListUsers.