问题描述
我创建了一个lambda来检查自定义逻辑,然后再注册新的Cognito用户。在为此lambda创建IAM策略时,我应该在此处使用正确的“操作”和“资源”?
Lambda
exports.handler = function(event,context) {
// Configure the email domain that will be allowed to automatically verify.
var approvedDomain = "approveddomain.com";
// Log the event @R_996_4045@ion for debugging purposes.
console.log('Received event:',JSON.stringify(event,null,2));if (event.request.userAttributes.email.includes('@' + approvedDomain)) {
console.log ("This is an approved email address. Proceeding to send verification email.");
event.response.emailSubject = "Signup Verification Code";
event.response.emailMessage = "Thank you for signing up. " + event.request.codeParameter + " is your verification code.";
context.done(null,event);
} else {
console.log ("This is not an approved email address. Throwing error.");
var error = new Error('EMAIL_DOMAIN_ERR');
context.done(error,event);
}};
到目前为止我最好的猜测:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "LambdaSignUp","Effect": "Allow","Action": [
"cognito-sync:*","cognito-idp:*",],"Resource": "arn:aws:cognito-idp:REGION:ACCOUNT_ID:userpool/USER_POOL_ID"
}
]
}
解决方法
弄清楚了-事实证明,不需要特殊的IAM策略,因为您可以从Cognito的AWS控制台指向该lambda。
- 保留默认的IAM策略(基本策略将包括日志权限)
- 转到用户池>您的池名称>触发器。在“自定义消息”下,选择您的lambda。
就是这样!
关于上述lambda的注释:如果要对其进行测试,请确保在测试事件中包括request和UserAttributes键:
{
"request": {
"userAttributes": {
"email": "[email protected]"
}
},"response": {}
}