Question

我创建了一个lambda来检查自定义逻辑，然后再注册新的Cognito用户。在为此lambda创建IAM策略时，我应该在此处使用正确的“操作”和“资源”？

我正在遵循此指南：https://medium.com/@earlg3/using-lambda-aws-cognito-triggers-to-only-allow-auto-verification-to-specific-domain-db2efea79c44

Lambda

exports.handler = function(event, context) {
    
    // Configure the email domain that will be allowed to automatically verify.
    var approvedDomain = "approveddomain.com";
    
    // Log the event information for debugging purposes.
    console.log('Received event:', JSON.stringify(event, null, 2));if (event.request.userAttributes.email.includes('@' + approvedDomain)) {
        console.log ("This is an approved email address. Proceeding to send verification email.");
        event.response.emailSubject = "Signup Verification Code";
        event.response.emailMessage = "Thank you for signing up. " + event.request.codeParameter + " is your verification code.";
        context.done(null, event);
    } else {
        console.log ("This is not an approved email address. Throwing error.");
        var error = new Error('EMAIL_DOMAIN_ERR');
        context.done(error, event);
   }};

到目前为止我最好的猜测：

{
   "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaSignUp",
            "Effect": "Allow",
            "Action": [
                "cognito-sync:*",
                "cognito-idp:*",
            ],
            "Resource": "arn:aws:cognito-idp:REGION:ACCOUNT_ID:userpool/USER_POOL_ID"
        }
    ]
}

Answer 1

弄清楚了-事实证明，不需要特殊的IAM策略，因为您可以从Cognito的AWS控制台指向该lambda。

保留默认的IAM策略（基本策略将包括日志权限）
转到用户池>您的池名称>触发器。在“自定义消息”下，选择您的lambda。

就是这样！

关于上述lambda的注释：如果要对其进行测试，请确保在测试事件中包括request和UserAttributes键：

{
  "request": {
    "userAttributes": {
      "email": "hello@test.com"
    }
  },
  "response": {}
}

设置Lambda IAM策略以访问Cognito

1 个答案: