Is it possible to invoke a Lambda function with a cognito userpool identity?

I want to invoke a Lambda function using the Javascript API.

I want it to be invoked with the cognito userpool credentials of the user who is authenticated on the browser.

The objective is that the Lambda function will have the same level of access to S3 as the user from the cognito userpool.

How can I do this?




You can do that by federating user pool token with Cognito federated identity, this will give you temporary AWS credentials to call AWS Lambda function. You will need to create an identity pool and create a role with permission lambda:InvokeFunction.

Also keep in mind that, all the users of user pool will be able to call lambda function if you choose authentication role based resolution, if you want to restrict it to subset of users, you can use groups in user pools and token or rule based mapping in federated identities to determine the role.



You will need these three packages:

<script src="js/aws-cognito-sdk.min.js"></script>
<script src="js/amazon-cognito-identity.min.js"></script>
<script src="js/aws-sdk.min.js"></script>

Once you login using Cognito, you can invoke Lambda function like this:

function invokeMyLambda()
    if(!objCognitoUser) syncAwsFromCognito(); 
    var lambda = new AWS.Lambda({region: 'us-east-1', apiVersion: '2015-03-31'});
    // create JSON object for service call parameters
    var pullParams = {
       FunctionName : 'myLambFunctionName',
       InvocationType : 'RequestResponse', // Event | RequestResponse | DryRun
       LogType : 'None',
       Payload : JSON.stringify({ "yourKeyName": "Key Value to pass to the function in Event Object"}),
    // invoke Lambda function, passing JSON object
    lambda.invoke(pullParams, function(err, data) {
       if (err) {
       } else {
          alert("Success: " + JSON.stringify(data));
    lambda = null;

function syncAwsFromCognito() {
    //    objCognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);

    if(!objCognitoUser) {
        objCognitoUser = objUserPool.getCurrentUser();
    if (objCognitoUser) {
        objCognitoUser.getSession(function(err, result) {
        if (result) {
            if(AWS.config.credentials == null) // Refresh AWS Config credentials
                AWS.config.credentials = new AWS.CognitoIdentityCredentials(jsonUserCreds);
                AWS.config.credentials.params.Logins[strConfUserPoolID] = result.idToken.jwtToken;

        //call refresh method in order to authenticate user and get new temp credentials
        AWS.config.credentials.refresh( function (error) {
            if (error) {
                console.log('syncAwsFromCognito', error);
        alert("Session expired. Login again");

You can make S3 call directly from Javascript as well after Cognito authentication in done. I'll prefer to use REST API with API Gateway instead of direct Lambda function call from the browser. Thats because the Lambda function call relies on TokenID which is valid for an hour even if you logout using Cognito SDK.


Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.