Why is my AWS assumed role not authorised to perform cognito-idp:AdminGetUser?

Question

My Laravel application calls the AdminGetUser endpoint.

In the local environment, it successfully returns the resource.

After deploying to a Vapor environment, it fails with the following error message:

User: arn:aws:sts::xxxx:assumed-role/laravel-vapor-role/xxxx is not authorized to perform: **cognito-idp:AdminGetUser** on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx because no identity-based policy allows the cognito-idp:AdminGetUser action

What is the issue?

Answer 1

laravel-vapor-role is not authorized to perform: cognito-idp:AdminGetUser on resource: arn:aws:cognito-idp:us-east-1:xxxx:userpool/us-east-1_xxxx

This means the laravel-vapor-role role does not have a suitable policy attached to provide it with permission to carry out the cognito-idp:AdminGetUser action.

You can fix this in 2 ways:

1. Assign the AWS managed AmazonCognitoReadOnly policy to the role
2. Add an inline policy to the role, in line with the security best practice of granting least privilege

---

If you anticipate more read-only permissions will be needed later on, it'll be much easier and better to just assign the AWS managed AmazonCognitoReadOnly policy to the role.

It will provides permissions for read-only access to your identity pools and user pools, including the cognito-idp:AdminGetUser permission that falls under cognito-idp:Get* (documentation here, direct policy link here):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-identity:Describe*",
                "cognito-identity:Get*",
                "cognito-identity:List*",
                "cognito-idp:Describe*",
                "cognito-idp:AdminGet*",
                "cognito-idp:AdminList*",
                "cognito-idp:List*",
                "cognito-idp:Get*",
                "cognito-sync:Describe*",
                "cognito-sync:Get*",
                "cognito-sync:List*",
                "iam:ListOpenIdConnectProviders",
                "iam:ListRoles",
                "sns:ListPlatformApplications"
            ],
            "Resource": "*"
        }
    ]
}

---

If you only require the single permission of cognito-idp:AdminGetUser, then create & assign an inline policy to the role which only grants that permission for the specific Cognito User Pool.

The below images should be self-explanatory:

Answer 2

For anyone else that comes across this, the issue for me was that I borrowed the iamRoleStatements configuration from another file but forgot to include serverless-iam-roles-per-function import at the top of my file.

plugins:
    - serverless-pseudo-parameters
    - serverless-iam-roles-per-function # <----- Missing this plugin *****

functions:
    func1:
        handler: handler.func1
        iamRoleStatements:
            - Effect: 'Allow'
              Action:
                  - sns:Publish
              Resource: 'arn:aws:sns:#{AWS::Region}:#{AWS::AccountId}:EventsTopic'