Insufficient permissions to execute the `AdminLinkProviderForUser` command

[eechih]

Environment information

System:
  OS: Linux 6.5 Ubuntu 22.04.4 LTS 22.04.4 LTS (Jammy Jellyfish)
  CPU: (12) x64 Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
  Memory: 53.89 GB / 62.64 GB
  Shell: /usr/bin/zsh
Binaries:
  Node: 18.15.0 - ~/.nvm/versions/node/v18.15.0/bin/node
  Yarn: 1.22.19 - ~/.nvm/versions/node/v18.15.0/bin/yarn
  npm: 9.6.2 - ~/.nvm/versions/node/v18.15.0/bin/npm
  pnpm: 8.5.1 - ~/.nvm/versions/node/v18.15.0/bin/pnpm
NPM Packages:
  @aws-amplify/backend: 0.13.2
  @aws-amplify/backend-cli: 0.13.0
  aws-amplify: 6.0.30
  aws-cdk: 2.138.0
  aws-cdk-lib: 2.138.0
  typescript: 5.4.5
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Description

I have a function that needs to use the AdminLinkProviderForUserCommand command, but the "manageUsers" action does not seem to contain the 'cognito-idp:AdminLinkProviderForUser' action.

// amplify/auth/resource.ts

import { linkProviderForUserFunction } from '@/amplify/functions/link-provider-for-user/resource'

export const auth = defineAuth({
  ...
  access: allow => [
    allow.resource(linkProviderForUserFunction).to(['manageUsers']),
  ],
})

// amplify/functions/link-provider-for-user/handler.ts
  
import { env } from '$amplify/env/link-provider-for-user'
import type { Schema } from '@/amplify/data/resource'
import {
  AdminLinkProviderForUserCommand,
  CognitoIdentityProviderClient,
  InvalidParameterException,
} from '@aws-sdk/client-cognito-identity-provider'
import { AppSyncIdentityCognito } from 'aws-lambda'

const client = new CognitoIdentityProviderClient()

export const handler: Schema['linkProviderForUser']['functionHandler'] =
  async event => {
    const { providerName, providerUserId } = event.arguments
    const identity = event.identity as AppSyncIdentityCognito
    
    const command = new AdminLinkProviderForUserCommand({
      UserPoolId: env.AMPLIFY_AUTH_USERPOOL_ID,
      DestinationUser: {
        ProviderName: 'Cognito',
        ProviderAttributeValue: identity.username,
      },
      SourceUser: {
        ProviderName: providerName,
        ProviderAttributeName: 'Cognito_Subject',
        ProviderAttributeValue: providerUserId,
      },
    })
    
    const response = await client.send(command)
    ...
  }

The following error occurs:

2024-04-26T01:10:30.391Z	5eada46c-eea6-4093-8b5e-0f4557193695	ERROR	Invoke Error 	{
    "errorType": "AccessDeniedException",
    "errorMessage": "User: arn:aws:sts::089370838833:assumed-role/amplify-drinkshopbackend--linkproviderforuserlambda-Hji1xUz2DDsw/amplify-drinkshopbackend--linkproviderforuserlambd-GNHSJOXwO4To is not authorized to perform: cognito-idp:AdminLinkProviderForUser on resource: arn:aws:cognito-idp:us-east-1:089370838833:userpool/us-east-1_SPrRZH9Kd because no identity-based policy allows the cognito-idp:AdminLinkProviderForUser action",
    ...
}

Is there any solution? Thanks.

[ykethan]

Hey @eechih, thank you for reaching out. The issue appears to be similar to #1375, refer to the comment #1375 (comment) using override to add the permissions
Marking this as feature request.

[eechih]

@ykethan Thanks a lot, that worked :)

[MyNameIsTakenOMG]

Hi @ykethan , I checked the doc, seems like we still don't have the AdminLinkProviderForUser option, and that could cause some issue, for example when we try to assign this action or permission to pre-signup trigger, right? And I don't think we can directly access this trigger using backend.auth.resources and add the action manually. So what is your opinion?

Update:

I succeeded to add this AdminLinkProviderForUser permission to the lambda trigger by importing the lambda resource into the amplify backend, and then added an inline policy by following your workaround, many thanks!

Btw, I think it would be better to add at least a note to tell devs that if they want to configure pre-signup or post-confirmation triggers, they can import them into amplify backend like other normal lambda function.