I am trying to call Cognito adminCreateUser via aws CognitoI Serverless Stack #help

I am trying to call Cognito adminCreateUser via aw...

Fadi saadeldin

09/08/2021, 4:54 AM

I am trying to call Cognito adminCreateUser via aws.CognitoIdentityServiceProvider, but i got error

UnrecognizedClientException: The security token included in the request is not valid

, i can do that in terminal bit not in lambda.

Frank

09/08/2021, 5:27 AM

Hey @Fadi saadeldin, are you getting this on ur local, ie.

npm run start

Fadi saadeldin

09/08/2021, 5:28 AM

yes

Frank

09/08/2021, 5:32 AM

I see. The Lambda doesn’t use ur local credentials. They are using the real IAM credentials assigned by AWS Lambda.

Frank

09/08/2021, 5:32 AM

What permissions does ur Lambda have?

Frank

09/08/2021, 5:33 AM

(btw, if u ever wanted to read up on why local credentials are not used, it’s talked about here https://docs.serverless-stack.com/live-lambda-development)

Fadi saadeldin

09/08/2021, 5:10 PM

Copy code

const api = new sst.ApolloApi (this, 'Api', {
  
    });

    api.attachPermissions([
      "cognito-identity:*",
      "cognito-idp:*",
      "cognito-sync:*",
      "iam:ListRoles",
      "iam:ListOpenIdConnectProviders",
      "iam:GetRole",
      "iam:ListSAMLProviders",
      "iam:GetSAMLProvider",
      "kinesis:ListStreams",
      "lambda:GetPolicy",
      "lambda:ListFunctions",
      "sns:GetSMSSandboxAccountStatus",
      "sns:ListPlatformApplications",
      "ses:ListIdentities",
      "ses:GetIdentityVerificationAttributes",
      "mobiletargeting:GetApps",
      "acm:ListCertificates"
    ])

Fadi saadeldin

09/08/2021, 5:10 PM

I added the above permissions to my ApolloApi

Frank

09/08/2021, 6:09 PM

Hmm.. that looks right to me. Do you mind also share two things: • a screenshot of the error in your terminal; • a snippet of how you are calling the

adminCreateUser

in ur Lambda code.

Fadi saadeldin

09/08/2021, 8:43 PM

Copy code

const cognitoIdentityService = new aws.CognitoIdentityServiceProvider ({ apiVersion: '2016-04-19' });
    const userData = {
      UserPoolId: app.aws.cognito.userPoolId,
      Username: email,
      DesiredDeliveryMediums: ['EMAIL'],
      UserAttributes: [
        { Name: 'email', Value: email },
        { Name: 'email_verified', Value: 'true' },
      ],
    };
    const data = await cognitoIdentityService.adminCreateUser (userData).promise ();
    await cognitoIdentityService.adminAddUserToGroup ({
      UserPoolId: app.aws.cognito.userPoolId,
      Username: email,
      GroupName: group,
    }).promise ();

Abdul Taleb

09/09/2021, 3:01 AM

I'm facing the same issue, any help would be appreciated

Frank

09/11/2021, 9:02 AM

@Fadi saadeldin sorry for the delay. Looking at the screenshot you share, are you returning the

{ data: { invitedUser: null }, error: ..}

? (cc @Jay do you recognize these errors? Are they coming from Cognito?)

Fadi saadeldin

09/11/2021, 1:27 PM

No, i got this error from catch error

catch (error) {throw new ApolloError (error);}

Frank

09/12/2021, 7:52 PM

@Fadi saadeldin @Abdul Taleb I was able to get this to work. Here’s a sample repo I created https://github.com/fwang/sst-triage-admin-create-user

Frank

09/12/2021, 7:53 PM

The repo creates an

Api

and an

Auth

, and when curling the Api’s endpoint, the Lambda function calls

adminCreateUser

, and returns the created user.

Frank

09/12/2021, 7:54 PM

It uses

Api

instead of

ApolloApi

, but the idea is the same.

Frank

09/12/2021, 7:54 PM

Give it a try and let me know if it works for you.

Abdul Taleb

09/12/2021, 8:15 PM

I'll give it a try, thanks!

Fadi saadeldin

09/13/2021, 6:05 AM

I’ll give it a try as well, thanks!

Abdul Taleb

09/14/2021, 2:44 AM

It's still not working

Abdul Taleb

09/14/2021, 2:46 AM

the only difference is the following: • I'm using ApolloApi • I'm using

new cognito.UserPool

construct and then I pass it to the

Auth

construct

Abdul Taleb

09/14/2021, 2:47 AM

Copy code

const auth = new sst.Auth(this, 'Auth', {
  cognito: { userPoolId: myUserPool.userPoolId, clientId: .... }
});

Frank

09/14/2021, 2:53 AM

Hey @Abdul Taleb Did the

sst-triage-admin-create-user

repo work for you (without changing anything)?

Abdul Taleb

09/14/2021, 2:54 AM

yes when we created a simple

const auth = new Auth(this, 'auth', { cognito: true }):

it worked

Frank

09/14/2021, 2:57 AM

I see, that’s good. So from there, can you create a

new cognito.UserPool

and pass that into the

Auth

construct (while keeping the Api, don’t make the ApolloApi change yet).

Frank

09/14/2021, 2:57 AM

Can you see if that works for you?

Abdul Taleb

09/14/2021, 3:09 AM

nope doesn't work

Abdul Taleb

09/14/2021, 3:10 AM

Copy code

const tempAuth = new sst.Auth(this, 'temp-auth', {
      cognito: {
        userPool: new cognito.UserPool(this, 'test-user-pool'),
      }
    })

Frank

09/14/2021, 3:35 AM

I see. Let me give it a try in a bit.

Abdul Taleb

09/14/2021, 3:59 AM

Okay I think it may have to do with the ApolloApi construct

Abdul Taleb

09/14/2021, 4:00 AM

I used the same userpool in the Api code you shared and also in my ApolloApi and it worked in the API lambda but not the ApolloApi one

Abdul Taleb

09/14/2021, 7:17 AM

So I upgraded the aws-sdk from v2 to v3 and it worked. strange error.

Frank

09/14/2021, 6:55 PM

Oh I see. That’s a weird one 🤔

Open in Slack

Previous Next