Is this feature request related to a new or existing Amplify category?
No response
Is this related to another service?
No response
Describe the feature you'd like to request
When migrating a Gen1 app that uses a Cognito PostConfirmation Lambda trigger with "Add User To Group" capability, generate step should also generate corresponding access block on defineAuth to grant the necessary Cognito permissions.
In Gen1, the CLI auto-generates auth-trigger-cloudformation-template.json (deployed as AuthTriggerCustomLambdaStack) which creates an IAM policy granting cognito-idp:AdminAddUserToGroup, cognito-idp:GetGroup, and cognito-idp:CreateGroup to the Lambda execution role.
Currently the generated defineAuth only includes triggers: { postConfirmation }. The trigger wiring works (Cognito invokes the Lambda), but the Lambda has no permissions to call Cognito APIs. At runtime, the PostConfirmation trigger fails with:
PostConfirmation failed with error User: arn:aws:sts::<account>:assumed-role/<role>/<function> is not authorized to perform: cognito-idp:CreateGroup on resource: arn:aws:cognito-idp:<region>:<account>:userpool/<pool-id> because no identity-based policy allows the cognito-idp:CreateGroup action
Describe the solution you'd like
The migration codegen should detect auth trigger capabilities (e.g. "Add User To Group") and generate the appropriate access block using the available auth actions:
access: (allow) => [
allow.resource(postConfirmation).to([
"addUserToGroup",
"manageGroups",
]),
],Describe alternatives you've considered
None
Additional context
This likely applies to all Cognito trigger types that require IAM permissions beyond invocation. Any trigger that calls back into Cognito APIs would need the corresponding access actions generated.
Is this something that you'd be interested in working on?
Would this feature include a breaking change?
Is this feature request related to a new or existing Amplify category?
No response
Is this related to another service?
No response
Describe the feature you'd like to request
When migrating a Gen1 app that uses a Cognito PostConfirmation Lambda trigger with "Add User To Group" capability,
generatestep should also generate correspondingaccessblock ondefineAuthto grant the necessary Cognito permissions.In Gen1, the CLI auto-generates
auth-trigger-cloudformation-template.json(deployed as AuthTriggerCustomLambdaStack) which creates an IAM policy grantingcognito-idp:AdminAddUserToGroup,cognito-idp:GetGroup, andcognito-idp:CreateGroupto the Lambda execution role.Currently the generated
defineAuthonly includestriggers: { postConfirmation }. The trigger wiring works (Cognito invokes the Lambda), but the Lambda has no permissions to call Cognito APIs. At runtime, the PostConfirmation trigger fails with:PostConfirmation failed with error User: arn:aws:sts::<account>:assumed-role/<role>/<function> is not authorized to perform: cognito-idp:CreateGroup on resource: arn:aws:cognito-idp:<region>:<account>:userpool/<pool-id> because no identity-based policy allows the cognito-idp:CreateGroup actionDescribe the solution you'd like
The migration codegen should detect auth trigger capabilities (e.g. "Add User To Group") and generate the appropriate
accessblock using the available auth actions:Describe alternatives you've considered
None
Additional context
This likely applies to all Cognito trigger types that require IAM permissions beyond invocation. Any trigger that calls back into Cognito APIs would need the corresponding access actions generated.
Is this something that you'd be interested in working on?
Would this feature include a breaking change?