2

I am trying to access Lambda function using iOS Swift and here is my set up AWS Role

  1. RoleName: ALLOW_LAMBDA_EXECUTE
    • With Policy access to AWS Lambda full access, AWS Lambda execute, AmazonCognitoDeveloperAuthenticatedIdentities
    • Trust Relationship: Allow services: lambda.amazonaws.com and condition has Cognito identity with "unauthenticated"
  2. Cognito Identity Pool: Has the role ALLOW_LAMBDA_EXECUTE under unauthenticated role
  3. Unauthenticated Identities: Has Enable access to unauthenticated identities checked
  4. In Lambda, for function GetProcess(), has ExecutionRole: ALLOW_LAMBDA_EXECUTION

with all these, when I execute the same using my iPhone app (with simulator), I get this error. 

"x-amzn-errortype" = **AccessDeniedException**;

-[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body:
**{"Message":"The role defined for the function cannot be assumed by Lambda."}**

Am I missing anything here?

Alexis N-o
  • 3,954
  • 26
  • 34
Vasu Seshadri
  • 31
  • 1
  • 2
  • 1
    Set your Trust Relationship to Lambda. In the IAM console -> Go to your IAM role -> click on Trust Relationship tab -> and change the trust to `lambda.amazonaws.com` – krishna_mee2004 Jan 29 '18 at 20:55
  • I do have the setting in the role --> Trust Relationship tab as below "Principal": { "Service": "lambda.amazonaws.com", "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-2:e565545e-44ca-4557-baa5-56eb6e9f68ac" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" – Vasu Seshadri Jan 29 '18 at 21:26

2 Answers2

0

Seems like you configured your Cognito role to be assumed by Lambda.

You have to set the following Trust Relationship for the role ALLOW_LAMBDA_EXECUTION not ALLOW_LAMBDA_EXECUTE:

{
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Service": "lambda.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }
}
Alexis N-o
  • 3,954
  • 26
  • 34
0

After a lot of deliberation, going through multiple docs and doing some RnD, things started working.

Yes, Trust Relationship should have lambda execute and Action: sts:AssumeRoleWithWebIdentity and it should have the condition 

{
"Version": "2018-1-30",
"Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com",
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "identity-pool"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "unauthenticated"
        }
      }
    }
  ]
}

Now, this will not work well with Lambdas role coz' it cannot assume the role, which I think make-sense as it has little power to do so.

Hence I have created 2 diff roles Role 1- with above trust relationship assigned to Cognito fedrated identitiy access Role 2- without changes in trust relationship assigned to Lambda role.

Now both my iOS access works with cognito identity and also AWS APIMicroServices...

Indeed took a while to crack this.

Vasu Seshadri
  • 31
  • 1
  • 2