我正在尝试使用Go lang通过lambda函数创建一个Cognito用户池。
IAM角色,IAM策略和信任关系策略已成功创建。
但是当我尝试创建Cognito池时,出现错误,
InvalidSmsRoleTrustRelationshipException: Role does not have a trust relationship allowing Cognito to assume the role.
信任关系政策是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
创建用户池API调用如下-
newUserPoolData := &cognitoidentityprovider.CreateUserPoolInput{
PoolName: aws.String(poolName),
Policies: &userPoolPolicyType,
AutoVerifiedAttributes: autoVerifiedAttributes,
UsernameAttributes: userNameAttributes,
SmsConfiguration: &smsConfingType,
}
我在这里想念东西吗?
答案 0 :(得分:0)
服务角色策略应具有service-role
路径。例如,arn的格式应为arn:aws:iam::{ACCOUNT_ID}:role/service-role/{role_name}
信任关系应为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "{External ID}"
}
}
}
]
}
并且角色的内联策略应该是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:publish"
],
"Resource": [
"*"
]
}
]
}