I'm working on a serverless project, when I invoke local and use the credentials in my ~/.aws/credentials which correspond to a user with an Administrator policy the code executes correctly without any security issues. When I run the lambda with the assumed role, it gives the following error:
UnrecognizedClientException: The security token included in the request is invalid.
If I hardcode the credentials of my admin user and run it in lambda, it works fine. So obviously there is some issue with my IAM role that the lambda assumes when making a call to Cognito to ListUsers. I have given that IAM role an administrator policy, still gives the same exception, what is going on with the role vs user and why can't the role call cognito ListUsers?
Is there a trust relationship needed? Is there anything additional that a role would need versus a user that has the same access policy? This is driving me crazy
var params = {
UserPoolId: process.env.userPoolId,
AttributesToGet: [
'email',
'sub'
],
Filter : 'email ^= \"' + email + '\"'
};
return new Promise((resolve, reject) => {
AWS.config.update({
region : process.env.AWS_REGION,
accessKeyId : process.env.AWS_ACCESS_KEY_ID,
secretAccessKey : process.env.AWS_SECRET_ACCESS_KEY
});
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
cognitoidentityserviceprovider.listUsers(params, (err, data) => {
if (err) {
console.error(err);
reject(err);
} else {
var users = [];
for (const cognitoUser of data.Users) {
var user = {};
for (const attribute of cognitoUser.Attributes) {
switch(attribute.Name) {
case 'sub':
user.id = attribute.Value;
break;
case 'email':
user.email = attribute.Value;
break;
default:
}
}
users.push(user);
}
resolve(users);
}
});
});
