Hi! I'm trying to add an IAM policy statement, but I always get this message:

AccessDeniedException: User:arn:aws:sts::xxx... is not authorized to perform: cognito-idp:ListUsers on resource....

This is my stack code:

// Create a HTTP API
    const api = new sst.Api(this, "Api", {
      defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM,
      routes: {
        "GET /private": "src/private.handler",
        "GET /health": {
          function: "src/health.handler",
          authorizationType: sst.ApiAuthorizationType.NONE,
        },
      },
    });

    const auth = new sst.Auth(this, "Auth", {
      cognito: {
        userPool: {
          signInAliases: { email: true, phone: true },
          signInCaseSensitive: false,
        },
      },
    });

    auth.attachPermissionsForAuthUsers([
      api,
      new iam.PolicyStatement({
        actions: ["cognito-idp:ListUsers"],
        effect: iam.Effect.ALLOW,
        resources: ["arn:aws:cognito-idp:xxx"],
      }),
    ]);

I don't now if I'm attaching the permission in the correct place or I'm missing something else

Are you tring to list out cognito users in ur Lambda?

ok thank you let me try that

Can you DM me the full

AccessDeniedException

error?

yes give me a minute @Frank

I think I might have had this issue let me look it up

I redeploy everything and worked ok @Frank @thdxr thank you!. Another thing that happened is that when I removed the stack the userpool is not eliminated.

The default behavior of userpools is not to delete when the stack is deleted (in case there's some data in there you don't want to lose). You can delete it manually or set the retention policy to delete (but be careful only do this in development stacks)

ok great

We also support setting a default removal policy: https://docs.serverless-stack.com/constructs/App#setting-a-default-removal-policy Again only use this in development stacks

perfect! thanks