Question:
I’m new to AWS and I’m looking for a way to allow the users of my Android app to change their emails without going through the verification process (I managed to do it for the subscription).
I tried to follow this and this, and here is what I did.
In my Android app:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
public void onClickChangeEmail(View view) { CognitoUserAttributes attributes = new CognitoUserAttributes(); attributes.getAttributes().put("email", "second@mail.com"); CognitoSettings .getCognitoUserPool(MainActivity.this) .getCurrentUser() .updateAttributesInBackground(attributes, new UpdateAttributesHandler() { @Override public void onSuccess(List { Log.i("tag", "Email updated!"); } @Override public void onFailure(Exception e) { e.printStackTrace(); } }); } |
Then, in my AWS console, I added a trigger in Cognito on Custom message, and here is my lambda function, which is triggered everytime a user updates his email:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
const AWS = require('aws-sdk') AWS.config.update({region: 'eu-central-1'}); exports.handler = (event, context, callback) => { if (event.triggerSource === 'CustomMessage_UpdateUserAttribute') { const params = { UserAttributes: [ { Name: 'email_verified', Value: 'true', }, ], UserPoolId: event.userPoolId, Username: event.userName, }; var cognitoIdServiceProvider = new AWS.CognitoIdentityServiceProvider(); cognitoIdServiceProvider.adminUpdateUserAttributes(params, function(err, data) { if (err) context.done(err, event); // an error occurred else context.done(null, event); // successful response }); } else { context.done(null, event); } }; |
The result is: the email is properly updated (but it works whithout the lambda), but the lambda crashes, with the following error:
autoValidationUserEmailModification is not authorized to perform: cognito-idp:AdminUpdateUserAttributes
So it looks like an authorization is missing.
My questions are:
- How can I fix the authorization part?
- Is that method the right way to disable email verification on updating user email?
Thanks for your help.
Answer:
Allow your function perform AdminUpdateUserAttributes on you Cognito Pool resource.
Update Lambda execution rules with block like:
|
1 2 3 4 5 6 7 8 |
{ "Action": [ "cognito-idp:AdminUpdateUserAttributes" ], "Resource": "arn:aws:cognito-idp:eu-central-1: "Effect": "Allow" } |
where Resource is your Cognito User Pool ARN.