Cognito Events Transform to Wrong Permission

[chrisoverzero]

Description

When creating a Function which responds to Cognito events, like this:

Events:
  UserPoolPreAuthentication:
    Type: Cognito
    Properties:
      UserPool: !Ref TheUserPool
      Trigger: PreAuthentication

...the transformation includes this permission:

"TheFunctionCognitoPermission": {
  "Type": "AWS::Lambda::Permission",
  "Properties": {
    "Action": "lambda:invokeFunction",
    "FunctionName": {
      "Ref": "TheFunction"
    },
    "EventSourceToken": {
      "Ref": "TheUserPool"
    },
    "Principal": "cognito-idp.amazonaws.com"
  }
}

...which I believe is incorrect and causing invocations to fail, blocking (pre-)authentication. The EventSourceToken appears only to be used for Alexa something-something. Permissions for invocation by Cognito should be using SourceArn. (With Fn:GetAtt of the Arn of TheUserPool, natch.)

Steps to Reproduce

1. Create a SAM template which responds to Cognito events.
2. Attempt to log in to a Cognito User Pool protected resource.
3. Note that the error response includes an description of "PreAuthentication invocation failed due to error AccessDeniedException".

Observed Result

The Function is never invoked. Its CloudWatch log stream is never even created.

Expected Result

The, uh, the Function is invoked? I'm not sure what to put here. I'd expect the AWS::Lambda::Permission resource to be well-formed and correct for the service which is expected to be performing the invocation, I guess?

[arsene-riaworx]

Still got this issue! What was the solution? I am having it on the CreateChallenge Invocation

[chrisoverzero]

Hi, @arsene-riaworx. I fixed this issue over two years ago and it went out with version 1.20.0. Either you have some far out of date dependency, or your problem is something else.

[arsene-riaworx]

The project is 2 months old. All packages are up to date..., this started happening a 2 days ago. Was working fine until then, been braking my head over it since then.

[arsene-riaworx]

Some more details: We have two almost identical userpools (the only difference is that one has two more custom attributes than the other). One userpool for customers and another for partners. Both use a passwordless custom auth by sending OTPs via SMS. In cloudformation, both pools refer to the same lambda resources (Same logical names). They call the exact same lambdas, have the exact same permissions etc. This has been working fine for a while and we never had issues before, despite making frequent deploys. Recently however, we found that at point during a deploy, cloudformation removed the invokeLambda permissions from the partner userpool. Only the customer has this permission... We have no clue why this is... Any pointers are welcome.

[hawflau]

Hey @arsene-riaworx, since this issue has been closed for quite a while. Would you mind to create a new issue to describe your problems? Also, please provide some examples that can help us reproduce the problems you're seeing. We will then start investigation and discuss through the new ticket. Thanks!