We have an AWS OpenSearch cluster with cognito userPool/identityPool integrated with it. So when we go to access the dashboard, it takes us to cognito login page, where we login and gain access to the dashboard. This part of the set up is fine.

Now, we want our lambda function to interact with openSearch, for reading and writing into various indices. We are thinking of using "client_credentials" authentication flow (provided by cognito) to authenticate our requests from the lambda function.

The challenge is, for users to login, the OAuthFlow should be "code" and for lambda functions to authenticate, the OAuthFlow should be "client_credentials" (Machine-to-Machine authentication). But apparently, these two flows cannot be selected for a single appClient, as is evident in the error shown below:

So, first of all, is this the right practice? I mean trying to use cognito to authenticate our lambda function against openSearch. If yes, then what should the set up look like?

Please advise.