Cross Account AWS Cognito Lambda Trigger

Question

I have Cognito pool in account (11111111) with a lambda trigger for PreSignUp where the lambda function is in account (22222222). Im able to create the Cognito pool successfully however when I try to execute an action such as CreateUser I get the error UnexpectedLambdaException: PreSignUp invocation failed due to configuration.

I've updated the lambda resource policy to allow cross account access with the following statements:

{
      "Sid": "xaccount",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::11111111:root"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-west-2:22222222:function:my-function"
}

and

{
      "Sid": "AllowCognitoInvoke",
      "Effect": "Allow",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-west-2:22222222:function:my-function",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:cognito-idp:us-east-1:11111111:userpool/*"
        }
      }
 }

Not sure what other configuration Im missing. Has anyone successfully setup something similar before?

Answer 1

Following up on my question. AWS support confirmed that you cannot configure Congito triggers to call lambda functions in a different account.

You can setup cross account lambda triggers on a Pool using the cli but you cant do it via the AWS Console. So if you do end up using the cli to setup cross account lambda triggers just know there is no way to invoke those fucntions.

In the end, I replicated the lambda trigger functions in the same account as the Cognito pool