I want to change user status using code.
I tried lots of codes but nothing worked for me. Can any one provide full working example of this. Some time i am getting this error CognitoIdentityCredentials is not authorized to perform: cognito-idp:AdminDisableUser on resource
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
AWS.config.update({
region: 'us-west-2',
credentials: new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-west-2:6afd2a7c-b3cd-472f-bead-fdbde8a84a26',
})
});
var params = {
UserPoolId: 'us-west-2_Klsadmic5', /* required */
Username: 'alphagate6' /* required */
};
cognitoidentityserviceprovider.adminDisableUser(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
I want to change user status using code.
I tried lots of codes but nothing worked for me. Can any one provide full working example of this. Some time i am getting this error CognitoIdentityCredentials is not authorized to perform: cognito-idp:AdminDisableUser on resource
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
AWS.config.update({
region: 'us-west-2',
credentials: new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-west-2:6afd2a7c-b3cd-472f-bead-fdbde8a84a26',
})
});
var params = {
UserPoolId: 'us-west-2_Klsadmic5', /* required */
Username: 'alphagate6' /* required */
};
cognitoidentityserviceprovider.adminDisableUser(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
- I didn't need to set the IdentityPoolId in the AWS.config – Rich Steinmetz Commented Feb 4, 2020 at 14:32
3 Answers
Reset to default 2The params and the invocation seems to be OK. The error means that the role of your lambda function (I assume that this code snippet is from your lambda function) does not have permission to perform adminDisableUser.
You need to find the IAM role of your lambda function and attach a policy that allows this action. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAdminDisableUser",
"Effect": "Allow",
"Action": "cognito-idp:AdminDisableUser",
"Resource": "*"
}
]
}
You may also want to specify certain resources to not allow this action for every user pool.
I had this feature to enable/disable users in one application and here is How I have implemented the feature
- Gave lambda necessary permissions to perform enable/disable
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminDisableUser"
],
"Resource": [
"arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id>",
"arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id>"
]
}
]
}
- Initializing AWS SDK
AWS.config.update({
region: "us-east-1",
});
const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({
apiVersion: "2016-04-18",
});
const UserPoolId = "<pool-id>";
- Created one method to handle enable/disable
const accountActions = (action, username) => {
return new Promise((res, rej) => {
const params = {
UserPoolId /* required */,
Username: username /* required */,
};
if (action == "disable") {
cognitoidentityserviceprovider.adminDisableUser(params, function(err,data) {
if (err) {
rej(err);
} else {
res(data);
}
});
} else {
cognitoidentityserviceprovider.adminEnableUser(params,function(err,data) {
if (err) {
rej(err);
} else {
res(data);
}
});
}
});
};
for anyone trying to do this via Amplify.
edit the "AmplifyResourcesPolicy" (for my project, it's in the cloudformation-template.json)
"AmplifyResourcesPolicy": {
"DependsOn": ["LambadExecutionRole"],
"Type": "AWS::IAM::Policy",
...
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
],
"Resource": [
"Fn:Join": [
"arn:aws:cognito-idp:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":userpool/",
{
"Ref": "<user-pool-id>"
}
]
]
}
]
}