I am creating a Cognito user pool with Cloudformation and setting LambdaConfig -> PreAuthentication to a Lambda function also created with Cloudformation. The problem is that the Lambda function seems to not be invoked. When authenticating, the user is logged in without the intervention of the PreAuthentication logic and the Cloudwatch logs for the lambda function are empty. If I test the function in the Lambda dashboard, it functions correctly. I'm not getting any errors.
Additionally, I am modeling this Cloudformation setup on an existing setup that does work. And the resources that result from the Cloudformation stack seem to have the same configuration as the working version.
The relevant parts of the cloudformation template look like this:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
LambdaConfig:
PreAuthentication: !GetAtt UserAuthorizerFunction.Arn
UsernameAttributes:
- email
UsernameConfiguration:
CaseSensitive: false
The Lambda function is defined like:
UserAuthorizerFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: Authorize_Users
Description: Authorizes users
Handler: index.handler
Role: !GetAtt AuthorizerFunctionRole.Arn
Code:
ZipFile: |
const AWS = require('aws-sdk')
// stuff
Runtime: nodejs12.x
The lambda function is created with a resource-based policy that looks correct:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AuthorizerFunctionPermission-WSIGC4MBBT0C",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:<redacted>:function:Authorize_Users",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cognito-idp:us-east-1:<redacted>:userpool/us-east-1_<redacted>"
}
}
}
]
}
Why isn't my PreAuthentication hook being executed? Is there a DependsOn
requirement that I'm not thinking of?
Authorize_Users
but your function has name${StackName}_Authorize_Users
? Also how did you create these permissions? There is no CFN code shown for them. – MarcinAWS::Lambda::Permission
resource rather than a policy. Strange that it's JSON and the other bits are YAML, are they in separate templates? If so, does the userpool not have access to the lambda at the time it's created? That could be the issue... seems to ring a bell. – 404