'AWS Cognito Change user status to disable
I want to change user status using code.
I tried lots of codes but nothing worked for me. Can any one provide full working example of this. Some time i am getting this error CognitoIdentityCredentials is not authorized to perform: cognito-idp:AdminDisableUser on resource
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
AWS.config.update({
region: 'us-west-2',
credentials: new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-west-2:6afd2a7c-b3cd-472f-bead-fdbde8a84a26',
})
});
var params = {
UserPoolId: 'us-west-2_Klsadmic5', /* required */
Username: 'alphagate6' /* required */
};
cognitoidentityserviceprovider.adminDisableUser(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
amazon-web-servicesSolution 1:[1]
The params and the invocation seems to be OK. The error means that the role of your lambda function (I assume that this code snippet is from your lambda function) does not have permission to perform adminDisableUser.
You need to find the IAM role of your lambda function and attach a policy that allows this action. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAdminDisableUser",
"Effect": "Allow",
"Action": "cognito-idp:AdminDisableUser",
"Resource": "*"
}
]
}
You may also want to specify certain resources to not allow this action for every user pool.
Solution 2:[2]
I had this feature to enable/disable users in one application and here is How I have implemented the feature
- Gave lambda necessary permissions to perform enable/disable
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminDisableUser"
],
"Resource": [
"arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id>",
"arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id>"
]
}
]
}
- Initializing AWS SDK
AWS.config.update({
region: "us-east-1",
});
const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({
apiVersion: "2016-04-18",
});
const UserPoolId = "<pool-id>";
- Created one method to handle enable/disable
const accountActions = (action, username) => {
return new Promise((res, rej) => {
const params = {
UserPoolId /* required */,
Username: username /* required */,
};
if (action == "disable") {
cognitoidentityserviceprovider.adminDisableUser(params, function(err,data) {
if (err) {
rej(err);
} else {
res(data);
}
});
} else {
cognitoidentityserviceprovider.adminEnableUser(params,function(err,data) {
if (err) {
rej(err);
} else {
res(data);
}
});
}
});
};
Solution 3:[3]
for anyone trying to do this via Amplify.
edit the "AmplifyResourcesPolicy" (for my project, it's in the cloudformation-template.json)
"AmplifyResourcesPolicy": {
"DependsOn": ["LambadExecutionRole"],
"Type": "AWS::IAM::Policy",
...
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
],
"Resource": [
"Fn:Join": [
"arn:aws:cognito-idp:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":userpool/",
{
"Ref": "<user-pool-id>"
}
]
]
}
]
}
Solution 4:[4]
If Your aim is to enable/disable cognito user as an admin disregard this. Just be aware that the admin enable/disable enables/disabled the user as an administrator. Not disableing the user account (login etc) which is where you might be getting the error from.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | adrian-mezei |
| Solution 2 | Krishna Pankhania |
| Solution 3 | Quymbee |
| Solution 4 | Bookrage001 |