I have a PreTokenGenerator function which adds an additional claim to the id token.
In my serverless.yml I have the following definition.
functions:
issueAuthToken:
handler: src/handlers/cognitoPreToken.handler
events:
- cognitoUserPool:
pool: ${self:provider.stage}-user-pool
trigger: PreTokenGeneration
This runs and deploys, however does not wire up the user pool trigger in the userpool (see below)
How can I get this trigger to be setup? The documentation seems to be pretty lacking when it comes to cognito triggers
Pre Token Generation is currently not available in the UserPool LambdaConfig and hence not supported by CloudFormation (which serverless framework use). At the moment it can only be configured via console or AWS CLI.
According to Serverless documentation, you should inform the attribute existing: true and this is very critical if you don't want to create a new Cognito User Pool using-existing-pools
Also according to this forum this feature is now covered by AWS CloudFormation AWS Forum
This is a recent feature implemented by Serverless, so make sure you have the latest version installed.
Here is my Serverless configuration code:
preTokenGenerator:
name: ${self:service}-${self:provider.stage}-preTokenGenerator
description: Lambda service to list blog articles
role: LambdaRole
handler: functions/general/blog.list
events:
- cognitoUserPool:
pool: my-pool-name
trigger: PreTokenGeneration
existing: true
I literally duplicated an existing function and changed its trigger.
cognito-lambda-function
Related
guys! I have the following case. I'm building auth flow with amplify lib and added the ability to signup users with Google as an Identity Provider. For the backend, I use a serverless framework to add triggers when the user signs up. Please see examples of triggers below:
customMessage:
handler: functions/auth/handler.handle
events:
- cognitoUserPool:
pool: userpool-dev
trigger: CustomMessage
existing: true
postConfirmation:
handler: functions/auth/handler.handle
events:
- cognitoUserPool:
pool: userpool-dev
trigger: PostConfirmation
existing: true
The issue I have is that when I sign up from Google my CustomMessage trigger is not invoked. When I do not use sign-up from Goole, it is triggered and sends the custom message. Do you maybe know why signing up with an external provider does not trigger the lambda function?
I am using AWS apigateway to trigger a lambda function. I deployed them from serverless framework, the configuration looks like:
handler:
handler: src/index.handler
name: handler
tracing: true
role: updateRole
events:
- http:
path: /contact/{id}
method: patch
integration: lambda
request:
parameters:
paths:
id: true
after deploy, it works perfect. But what I don't understand is how I can find out where the iam role/policy defined for this API integration?
When open AWS console, it shows me the right configuration in the "Integration Request" tab:
But I can't find anywhere it specifies the IAM role to this integration. How can I find it or update it?
Permissions to execute a function from API, are set using resource-based policies for lambda, not IAM role. In lambda console they are listed as:
The documentation
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-function-cognito.html
Says to reference User pool created in the same template. I can't believe that there's no way to reference existing user pool - is this right?
Is there any way to reference it in SAM as a lambda trigger if the user pool already exists?
Any time I try to reference existing user pool it throws an error.
Oh Dear,
I'm facing the same problem and...
It seems to be impossible regarding this https://github.com/aws/serverless-application-model/blob/develop/versions/2016-10-31.md#cognito
NOTE: To specify a Cognito UserPool as an event source for a Lambda
function, both resources have to be declared in the same template. AWS
SAM does not support specifying an existing UserPool as an event
source.
There is the same issue with S3 bucket: https://github.com/aws/serverless-application-model/issues/124#
Although I am using serverless instead of SAM I managed to solve a similar issue by adding the 'existing' parameter like this:
functions:
postConfirmation:
handler: app/main/lambda_handler.handler
events:
- cognitoUserPool:
pool: MyUserPoolName
existing: true
trigger: PostConfirmation
I have encountered this issue when trying to sam deploy my lambda function. I have found a link to the same issue here:
When using guided deploy and accepting the default options I receive a Security Constraints Not Satisfied! error. · Issue #1990 · awslabs/aws-sam-cli
However, even after reading through it and the docs, I do not understand how to fix it. Can somebody explain this to me?
This is normally happening for all those who are started with AWS SAM Hello World template and deploy without any changes or following AWS SAM tutorial. (Doesn't mean that you shouldn't start from that template or not use AWS SAM tutorial but you should add some more configurations to get rid of this message).
Here, AWS SAM is informing you that your application configures an API Gateway APIs without authorization. When you deploy the same application, AWS SAM creates a publicly available URL/API.
For getting rid of this message you need to define some access control mechanism for your API.
You can use AWS SAM to control who can access your API Gateway APIs by enabling authorization within your AWS SAM template.
example,
MyApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
DefaultAuthorizer: MyLambdaTokenAuthorizer
Authorizers:
MyLambdaTokenAuthorizer:
FunctionArn: !GetAtt MyAuthFunction.Arn
MyAuthFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./src
Handler: authorizer.handler
Runtime: nodejs12.x
The above snippet is an example of an authorization mechanism called Lambda Authorizer. There are some other mechanisms too. Like, IAM Permissions, API Keys, etc.
You can find more information about these authorizations from following link
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-controlling-access-to-apis.html
How to setup cross account custom authorizer with serverless framework? Custom authorizer configured with sls framework works fine if it is in the same AWS account as function that needs authorization.
What I have now is organization root account where authorizer function has been deployed. On the second account, which is organization member, I have a serverless service deployed with the endpoints that needs to be authorized from the root account.
Is it possible to configure something like this inside serverless.yml that will be deployed on the member account (111111111111 is root account number):
hello:
handler: api/hello.handler
events:
- http:
path: hello
method: get
cors: true
authorizer: arn:aws:lambda:eu-west-1:111111111111:function:authorizer
I have tried this and received following error:
An error occurred: AuthorizerApiGatewayAuthorizer - The policy of
Lambda function must explicitly authorize the method or custom
authorizer with a SourceArn condition for cross account integration
(Service: AmazonApiGateway; Status Code: 400; Error Code:
BadRequestException;
... which makes sense according to the AWS docs. These docs explains how to manually do it using API Gateway console which is exactly what I did for now (authorizer in the root, authorizer in the member account - manually connected through API gateway, same as described in the docs).
I need a better solution as the number of services and organization member accounts is going to grow.
Is it possible to configure and make this work with serverless framework?
As with a lot of the Serverless Framework, there's a plug-in for those times that CloudFormation hasn't yet offered an option:
https://github.com/rschick/serverless-plugin-lambda-account-access
The custom authorizer's serverless.yml should then include:
plugins:
- serverless-plugin-lambda-account-access
provider:
allowAccess:
- 111111111111 # account id of invoking account