8

My Laravel application calls the AdminGetUser endpoint.

In the local environment, it successfully returns the resource.

After deploying to a Vapor environment, it fails with the following error message:

User: arn:aws:sts::xxxx:assumed-role/laravel-vapor-role/xxxx is not authorized to perform: **cognito-idp:AdminGetUser** on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx because no identity-based policy allows the cognito-idp:AdminGetUser action

What is the issue?

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
Tharaka Dilshan
  • 4,371
  • 3
  • 14
  • 28
  • 1
    IAM roles, what are the policies for laravel vapo role? – Ermiya Eskandary Oct 16 '21 at 14:46
  • that role has 14 services allowed, what is the required service for this api call? – Tharaka Dilshan Oct 16 '21 at 15:00
  • 1
    @ErmiyaEskandary there were `CloudWatch,CloudWatch Logs,DynamoDB,EC2,KMS,Lambda,Pinpoint Email,Route 53 Domains,S3,Secrets Manager,SES,SES v2,SQS,Systems Manager` allowed. with your comment I got the idea and added new service of `Cognito User Pools` which solves the issue. Please add an answer with explanation so I can accept it. thanks. – Tharaka Dilshan Oct 16 '21 at 16:05

2 Answers2

14

laravel-vapor-role is not authorized to perform: cognito-idp:AdminGetUser on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx

This means the laravel-vapor-role role does not have a suitable policy attached to provide it with permission to carry out the cognito-idp:AdminGetUser action.

You can fix this in 2 ways:

  1. Assign the AWS managed AmazonCognitoReadOnly policy to the role
  2. Add an inline policy to the role, in line with the security best practice of granting least privilege

If you anticipate more read-only permissions will be needed later on, it'll be much easier and better to just assign the AWS managed AmazonCognitoReadOnly policy to the role.

It will provides permissions for read-only access to your identity pools and user pools, including the cognito-idp:AdminGetUser permission that falls under cognito-idp:Get* (documentation here, direct policy link here):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-identity:Describe*",
                "cognito-identity:Get*",
                "cognito-identity:List*",
                "cognito-idp:Describe*",
                "cognito-idp:AdminGet*",
                "cognito-idp:AdminList*",
                "cognito-idp:List*",
                "cognito-idp:Get*",
                "cognito-sync:Describe*",
                "cognito-sync:Get*",
                "cognito-sync:List*",
                "iam:ListOpenIdConnectProviders",
                "iam:ListRoles",
                "sns:ListPlatformApplications"
            ],
            "Resource": "*"
        }
    ]
}

If you only require the single permission of cognito-idp:AdminGetUser, then create & assign an inline policy to the role which only grants that permission for the specific Cognito User Pool.

The below images should be self-explanatory:

enter image description here

enter image description here

enter image description here

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
0

For anyone else that comes across this, the issue for me was that I borrowed the iamRoleStatements configuration from another file but forgot to include serverless-iam-roles-per-function import at the top of my file.

plugins:
    - serverless-pseudo-parameters
    - serverless-iam-roles-per-function # <----- Missing this plugin *****

functions:
    func1:
        handler: handler.func1
        iamRoleStatements:
            - Effect: 'Allow'
              Action:
                  - sns:Publish
              Resource: 'arn:aws:sns:#{AWS::Region}:#{AWS::AccountId}:EventsTopic'
Dan
  • 53
  • 1
  • 6