AWS Cognito InitiateAuth through Lambda function results into error

Question

I am writing a Lambda function in Go to authenticate a user, the AccessToken/IdToken I want to use for subsequent API calls.

When I execute the Go code from a standalone program, it works, the InitiateAuth was successful.

When I tried to use the same code from the lambda function, I get an error NotAuthorizedException: Unable to verify secret hash for client .......

Here is the code snippet I am using

func AuthenticateUser(userName string, passWord string) (*cognitoidentityprovider.InitiateAuthOutput, error) {

    username := aws.String(userName)
    password := aws.String(passWord)
    clientID := aws.String(constants.COGNITO_APP_CLIENT_ID)

    params := &cognitoidentityprovider.InitiateAuthInput{
        AuthFlow: aws.String("USER_PASSWORD_AUTH"),
        AuthParameters: map[string]*string{
            "USERNAME": username,
            "PASSWORD": password,
        },
        ClientId: clientID,
    }

    authResponse, authError := cognitoClient.InitiateAuth(params)
    if authError != nil {

        fmt.Println("Error = ", authError)
        return nil, authError
    }

    fmt.Println(authResponse)
    fmt.Println(*authResponse.Session)

    return authResponse, nil
}

I have given sufficient permissions to the lambda user - cognito-idp:AdminCreateUser - cognito-idp:AdminDeleteUser - cognito-idp:InitiateAuth - cognito-idp:ChangePassword - cognito-idp:AdminRespondToAuthChallenge - cognito-idp:AdminInitiateAuth - cognito-idp:ConfirmForgotPassword

Am I missing something here?

Answer 1

When we create a new App client, by default it has an associated App client secret.

I created one more app client, without "Client Secret". I used this new App client.

I modified the code to use the API AdminInitiateAuth, instead of the InitiateAuth

I was able to successfully login.

Here is the reference link, which was useful - Amplify "Unable to verify secret hash for client"