I'm new to AWS and I'm looking for a way to allow the users of my Android app to change their emails without going through the verification process (I managed to do it for the subscription).
I tried to follow this and this, and here is what I did.
In my Android app:
public void onClickChangeEmail(View view)
{
CognitoUserAttributes attributes = new CognitoUserAttributes();
attributes.getAttributes().put("email", "second#mail.com");
CognitoSettings
.getCognitoUserPool(MainActivity.this)
.getCurrentUser()
.updateAttributesInBackground(attributes, new UpdateAttributesHandler()
{
#Override
public void onSuccess(List<CognitoUserCodeDeliveryDetails> attributesVerificationList)
{
Log.i("tag", "Email updated!");
}
#Override
public void onFailure(Exception e)
{
e.printStackTrace();
}
});
}
Then, in my AWS console, I added a trigger in Cognito on Custom message, and here is my lambda function, which is triggered everytime a user updates his email:
const AWS = require('aws-sdk')
AWS.config.update({region: 'eu-central-1'});
exports.handler = (event, context, callback) => {
if (event.triggerSource === 'CustomMessage_UpdateUserAttribute')
{
const params = {
UserAttributes: [
{
Name: 'email_verified',
Value: 'true',
},
],
UserPoolId: event.userPoolId,
Username: event.userName,
};
var cognitoIdServiceProvider = new AWS.CognitoIdentityServiceProvider();
cognitoIdServiceProvider.adminUpdateUserAttributes(params, function(err, data) {
if (err) context.done(err, event); // an error occurred
else context.done(null, event); // successful response
});
}
else
{
context.done(null, event);
}
};
The result is: the email is properly updated (but it works whithout the lambda), but the lambda crashes, with the following error:
autoValidationUserEmailModification is not authorized to perform: cognito-idp:AdminUpdateUserAttributes
So it looks like an authorization is missing.
My questions are:
How can I fix the authorization part?
Is that method the right way to disable email verification on updating user email?
Thanks for your help.
Allow your function perform AdminUpdateUserAttributes on you Cognito Pool resource.
Update Lambda execution rules with block like:
{
"Action": [
"cognito-idp:AdminUpdateUserAttributes"
],
"Resource": "arn:aws:cognito-idp:eu-central-1:<your-user-id>:userpool/<your-user-pool>",
"Effect": "Allow"
}
where Resource is your Cognito User Pool ARN.
Related
I managed to create an AWS Lambda that does two things: writes on a dynamo DB and sends an SMS to a mobile number. Then I call this Lambda through a API Gateway POST call, and it works great from the Test section on AWS console but it gives error both on Postman and my own website. I inserted a callback to handle CORS on Lambda and deployed + enabled CORS on my API via console and deployed it but still get errors:
Errors via postman call: {
"message": "Internal server error"
}
Errors via my website (jquery ajax POST call): Lambda calling failed: {"readyState":4,"responseText":"{"message": "Internal server error"}","responseJSON":{"message":"Internal server error"},"status":500,"statusText":"error"}
This is my lambda code
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB();
const SNS = new AWS.SNS();
const tableName = "#####";
let params = {
PhoneNumber: 'mynumber####',
Message: 'Someone wrote!'
};
exports.handler = (event, context, callback) => {
dynamodb.putItem({
"TableName": tableName,
"Item" : {
"Id": {
N: event.Id
},
"Type": {
S: event.Type
}
}
}, function(err, data) {
if (err) {
console.log('Error putting item into dynamodb failed: '+err);
}
else {
console.log('Success in writing, now starting to send SMS');
return new Promise((resolve, reject) => {
SNS.publish(params, function(err, data) {
if(err) {
console.log("Error in sending sms alarm");
reject(err);
}
else {
console.log("SMS alarm sent!");
resolve(data);
}
})
})
}
});
callback(null, {
statusCode: 200,
headers: {
"Access-Control-Allow-Headers" : "Content-Type",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "OPTIONS,POST,GET"
},
body: JSON.stringify('Hello from Lambda!'),
});
};
What am I doing wrong? I don't think permissions on lambda are the problem here, since testing it on console works both on writing on dynamo both sending the sms to my cellphone.
If I click from here on API Endpoint I get the same error {"message": "Internal server error"}
SOLUTION: instead of making an AWS HTTP API, make a AWS REST API, that is much more complex and offers more personalization for CORS, letting you set them and headers.
I'm trying to publish a message from a lambda function to my AWS IoT Thing, by using the aws-sdk which should use HTTP by default instead of MQTT to publish a message.
Then the Function gets invoked no error message is logged to cloudwatch unfortunately which makes it even harder to debug.
Steps I took:
created a Policy for the message
created a small React frontend to read messages and test it with IoT test client.
wrote lambda and passed the Thing url as env var like this: "https://xxxxxdi.eu-central-1.amazonaws.com"
The Lambda function has also a attached Policy which should grant it to write to AWS IoT.
{
"arn": null,
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "iot:Publish",
"Resource": "arn:aws:iot:eu-central-1:*:*:topic/PairCreated",
"Effect": "Allow"
}
]
},
"id": null,
"name": "PublishMessage",
"type": "inline"
}
Here is the code of the lambda function. The credentials for the object of type IotData are looking ok
import wrap from '#dazn/lambda-powertools-pattern-basic'
import Log from '#dazn/lambda-powertools-logger'
import { IotData } from 'aws-sdk'
export const handler = wrap(async (event: any = {}, context: any) => {
Log.info('event', event)
const iotData = new IotData({endpoint: process.env.IOT_ENDPOINT, region: 'eu-central-1', logger: new Log})
const params: IotData.PublishRequest = {
topic: process.env.IOT_THING_NAME || '',
payload: JSON.stringify(event),
qos: 0,
retain: false
}
Log.debug('params', { params })
iotData.publish(params, (err, res) => {
if (err) {
Log.error("Error publishing to IOT", { err })
return context.fail(err)
};
Log.info('res', res)
return context.succeed();
});
})
The version I'm using: "aws-sdk": "^2.1053.0"
What am I missing?
I found out why the message was not sent.
The callback inside of iotData.publish was not executed correctly because the lambda function was terminated before it could be executed. Here are my changes to the code.
await iotData.publish(params, (err, res) => {
if (err) {
Log.error("Error publishing to IOT", { err })
return context.fail(err)
};
return context.succeed(res);
}).promise()
This returns a Promise we can await so the callback gets executed
I have a static form-based HTML contact page, where the user needs to drop their Name, email address, subject and message and ultimately my script will reroute all the required value via AWS API --> Lambda --> my Gmail.
So, for that, I have a verified my GMAIL account in SES. And my AWS Lambda function is as below, (here, I used the same confirmed email address for to and send to deliver the email.)
'use strict';
console.log('Loading function');
const AWS = require('aws-sdk');
const sesClient = new AWS.SES();
const sesConfirmedAddress = "XXXX#gmail.com";
/**
* Lambda to process HTTP POST for a contact form with the following body
* {
"email": <contact-email>,
"subject": <contact-subject>,
"message": <contact-message>
}
*
*/
exports.handler = (event, context, callback) => {
console.log('Received event:', JSON.stringify(event, null, 2));
var emailObj = JSON.parse(event.body);
var params = getEmailMessage(emailObj);
var sendEmailPromise = sesClient.sendEmail(params).promise();
var response = {
statusCode: 200
};
sendEmailPromise.then(function(result) {
console.log(result);
callback(null, response);
}).catch(function(err) {
console.log(err);
response.statusCode = 500;
callback(null, response);
});
};
function getEmailMessage (emailObj) {
var emailRequestParams = {
Destination: {
ToAddresses: [ sesConfirmedAddress ]
},
Message: {
Body: {
Text: {
Data: emailObj.message
}
},
Subject: {
Data: emailObj.subject
}
},
Source: sesConfirmedAddress,
ReplyToAddresses: [ emailObj.email ]
};
return emailRequestParams;
}
Now in IAM, I have created a policy and attached to this lambda function. Then I have created API to use this function to serve my purpose.
Now when I click the TEST button in API, it gives me return code 200. which is great. But the problem is I don't see any email in my verified Gmail account.
I'm using, this as my test message,
{
"email": XXXX#example.com,
"subject": Test,
"message": This is a Test message
}
I tried also using postman and postman says everything is fine with 200 as return code. But still no email to my Gmail account. I checked in cloud watch logs everything is Green. So no idea why my verified Gmail is not receiving any kind of test message. Can anyome shed any lights here?
customized Role looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendTemplatedEmail",
"ses:SendRawEmail"
],
"Resource": "*"
}
]
}
I would you recommend two things, first try to deploy your code using serverless framework which can help you with the dependencies like IAM roles.
Second, As an alternative and complementary steps you may use the following reference from AWS:
Open the Amazon SES console at https://console.aws.amazon.com/ses/.
In the column on the left, choose either Email Addresses or Domains.
Select a verified email address or domain, and then choose Send a
Test Email. For To:, type bounce#simulator.amazonses.com. For
Subject and Body, type some sample text. Choose Send Test Email.
Repeat steps 3 and 4 to create another test message, but this time,
for To:, type complaint#simulator.amazonses.com.
Open the Amazon SQS
console at https://console.aws.amazon.com/sqs/. The Messages
Available column should indicate that 2 messages are available.
can you print the complete response to see if you get message id in the response ? if so, there seems to be no problem with the permission.
1. You can enable SNS notification for Bounce/Delivery/complaint for the verified identity in SES console and see if you receive any notification after making sendmail api call.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/notifications-via-sns.html
Additionally, also check recipient spam box.
I am having a hard time using Firebase as an Open ID Connect provider.
Can you please further describe the steps you have been through before and after to make this work?
For information, here is what I have done so far:
In AWS Console:
1 - Create an IAM Identity Provider ( OpenID Connect ) and used securetoken.google.com/<FIREBASE_PROJECT_ID> as an URL, <FIREBASE_PROJECT_ID>for Audience
2 - Checked the Thumbprint manually (it matches the one generated by AWS)
3 - Created a role with the permissions to access the desired services
4 - Created an Identity Pool in Cognito and selected my newly created role in the 'Authenticated role' Dropdown
5 - Selected my Identity Provider under the Authentication Providers > OpenID category (format is therefore): securetoken.google.com/<FIREBASE_PROJECT_ID>
In my code (I am using Vue.js) here are the logical steps I went through:
Import / setup AWS SDK
Invoke Firebase Auth service
Create a new CognitoIdentity
Use the getOpenIdTokenForDeveloperIdentity and push the tokenID received from Firebase
The issue is that I keep getting "Missing credentials in config" errors.
The code:
import axios from 'axios';
const AWS = require('aws-sdk');
AWS.config.region = 'eu-west-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'MY_COGNITO_POOL_ID',
});
export default {
name: 'My Vue.js component name',
data() {
return {
email: '',
password: '',
msg: '',
};
},
methods: {
submit() {
axios
.post(
'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=MY_KEY',
{
email: this.email,
password: password,
returnSecureToken: true,
},
)
.then((res) => {
// stores tokens locally
localStorage.setItem('jwt', JSON.stringify(res.data));
const cognitoidentity = new AWS.CognitoIdentity();
const params = {
IdentityPoolId: 'MY_COGNITO_POOL_ID',
Logins: {
'securetoken.google.com/<PROJECT_ID>': res.data.idToken,
},
IdentityId: null,
TokenDuration: 3600,
};
cognitoidentity.getOpenIdTokenForDeveloperIdentity(params, (err, data) => {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
});
},
},
};
Here are the resources I have used so far while attempting to make this work:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
Using Firebase OpenID Connect provider as AWS IAM Identity Provider
https://github.com/aws/amazon-cognito-identity-js/blob/master/examples/babel-webpack/src/main.jsx
http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication/
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-2-developer-authenticated-identities/
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-4-enhanced-flow/
The final code if that can be any help for anyone:
import axios from 'axios';
const AWS = require('aws-sdk');
const aws4 = require('aws4');
export default {
name: 'VUE_CPNT_NAME',
data() {
return {
email: '',
password: '',
msg: '',
idToken: '',
};
},
methods: {
submit() {
// Firebase SignIn API
// Doc: https://firebase.google.com/docs/reference/rest/auth/
axios
.post(
'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=[MY_KEY]',
{
email: this.email,
password: this.password,
returnSecureToken: true,
},
)
.then((res) => {
this.idToken = res.data.idToken;
localStorage.setItem('jwt', JSON.stringify(res.data));
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
Logins: {
'securetoken.google.com/<FIREBASE_PROJECT_ID>': res.data.idToken,
},
}, {
region: 'eu-west-1',
});
// AWS.config.crendentials.get() methods works as well
// or a call to cognitoidentity.getId() followed by a call to getCredentialsForIdentity()
// will achieve the same thing. Cool. But why!?
AWS.config.getCredentials((err) => {
if (err) {
console.log(err);
}
const request = {
host: 'API_GATEWAY_ENDPOINT.eu-west-1.amazonaws.com',
method: 'GET',
url: 'https://API_GATEWAY_ENDPOINT.eu-west-1.amazonaws.com/PATH',
path: '/API_ENDPOINT_PATH',
};
// Signing the requests to API Gateway when the Authorization is set AWS_IAM.
// Not required when Cognito User Pools are used
const signedRequest = aws4.sign(request,
{
secretAccessKey: AWS.config.credentials.secretAccessKey,
accessKeyId: AWS.config.credentials.accessKeyId,
sessionToken: AWS.config.credentials.sessionToken,
});
// removing the Host header to avoid errors in Chrome
delete signedRequest.headers.Host;
axios(signedRequest);
});
});
},
},
};
Try setting the login map i.e the firebase token in the CognitoIdentityCredentials object. See this doc.
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'MY_COGNITO_POOL_ID',
Logins: {
'securetoken.google.com/':
}
});
Try calling get method on the credentials object before initializing the Cognito client. You can also use getCredentials instead.
If the above steps do not work & they should, pass the credentials as an option while initializing the Cognito client. See this doc for options available while using the CognitoIdentity constructor.
const cognitoidentity = new AWS.CognitoIdentity({credentials: AWS.config.credentials});
If you still receive the error, try logging credentials object in the console after calling the get() method. Ideally, it should have temporary credentials (accessKey, secretKey & sessionToken)
I want to call an AWS API Gateway Endpoint that is protected with AWS_IAM using the generated JavaScript API SDK.
I have a Cognito UserPool and a Cognito Identity Pool. Both properly synced via ClientId.
I use this code to Sign in and get the Cognito Identity
AWS.config.region = 'us-east-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});
AWSCognito.config.region = 'us-east-1';
AWSCognito.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});
var poolData = {
UserPoolId: 'us-east-1_XXXXXXXX',
ClientId: 'XXXXXXXXXXXXXXXXXXXXXXXX'
};
var userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(poolData);
var authenticationData = {
Username: 'user',
Password: '12345678',
};
var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
var userData = {
Username: 'user',
Pool: userPool
};
var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {
console.log('access token + ' + result.getAccessToken().getJwtToken());
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXX',
IdentityId: AWS.config.credentials.identityId,
Logins: {
'cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXX': result.idToken.jwtToken
}
});
AWS.config.credentials.get(function (err) {
// now I'm using authenticated credentials
if(err)
{
console.log('error in autheticatig AWS'+err);
}
else
{
console.log(AWS.config.credentials.identityId);
}
});
},
onFailure: function (err) {
alert(err);
}
});
All this succeeds and I have an authorized Cognito Identity now.
Now I try to call the API Gateway Endpoint to execute the Lambda Function it points to.
var apigClient = apigClientFactory.newClient({
accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY',
secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY',
sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});
var params = {
// This is where any modeled request parameters should be added.
// The key is the parameter name, as it is defined in the API in API Gateway.
};
var body = {
// This is where you define the body of the request,
query: '{person {firstName lastName}}'
};
var additionalParams = {
// If there are any unmodeled query parameters or headers that must be
// sent with the request, add them here.
headers: {},
queryParams: {}
};
apigClient.graphqlPost(params, body, additionalParams)
.then(function (result) {
// Add success callback code here.
console.log(result);
}).catch(function (result) {
// Add error callback code here.
console.log(result);
});
But unfortunately this fails. The OPTIONS request succeeds with 200 but the POST then fails with 403.
I am pretty sure that there is no CORS problem here.
I am pretty sure the problem has to do with IAM Roles and AWS Resource Configurations.
My question is basically, can you please provide me with all the necessary AWS Resource Configurations and IAM Roles that are necessary for this to work please?
Resources I have are
API Gateway - with deployed API Endpoints
Lambda Function - called by the Endpoint
Cognito User Pool - with App synced to the Identity Pool
Cognito Identity Pool - with Authorized and Unauthorized Role mapped to it.
IAM Roles - for the Lambda Function and the Authorized and Unauthorized Role of the Cognito Identity Pool.
But I don't know how these Resources need to be configured properly to get this to work.
Thank you
What access permissions does the role of the Cognito Identity have? Make sure it has access to perform execute-api:Invoke on your API.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:<account>:<rest-api>/*/POST/graphql"
]
}
]
}
You can get the exact resource ARN from the method settings page in the web console.
Even after following everything I was getting the same error. And the reason was I missed the "sessionToken" while initialising the apigClient.
var apigClient = apigClientFactory.newClient({
accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY',
secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY',
sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1 });
//OPTIONAL: If you are using temporary credentials you must include the session token -- is not really optional