-
|
I am trying to add a custom email sender to a Cognito UserPool via CDK but I seem to fail in setting up the permissions properly. My code looks basically like this: // Setup kms key for email sender
const customSenderKey = new Key(this, 'CognitoEmailSendKey');
const emailSenderTriggerHandler = < create Lambda function >;
const userPool = new UserPool(this, `UserPool`, {
lambdaTriggers: {
customEmailSender: emailSenderTriggerHandler,
< ... other Triggers >,
},
customSenderKmsKey: customSenderKey,
});
// Give Cognito CrateGrant permission
customSenderKey.addToResourcePolicy(
new PolicyStatement({
effect: Effect.ALLOW,
principals: [new ServicePrincipal('cognito-idp.amazonaws.com')],
actions: ['kms:CreateGrant', 'kms:Encrypt'],
resources: ['*'],
})
);
// Give Lambda Decrypt permission
senderKey.grantDecrypt(emailSenderTriggerHandler);
// Give Cognito Invoke permission
emailSenderTriggerHandler.grantInvoke(new ServicePrincipal('cognito-idp.amazonaws.com'));The I don't get the error since (at least in my understanding) I gave the permissions with the call to Why is this not equivalent to the policy described in the documentation here? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Ok, I found the solution to my problem. I seem to have interpreted the error message wrong. The problem was that the IAM-Role executing Cloudformation did not have the permission |
Beta Was this translation helpful? Give feedback.
-
|
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
Ok, I found the solution to my problem. I seem to have interpreted the error message wrong. The problem was that the IAM-Role executing Cloudformation did not have the permission
kms:CreateGrant. After granting the permissions it seems to work as expected.