我有一个现有Cognito用户池。当用户通过web应用程序注册时,我希望这个用户ID被添加到我们的Postgres数据库中。为此,我编写了一个Lambda函数,该函数应该在用户确认其电子邮件地址后触发。但是,在尝试使用无服务器框架部署此函数时,我得到以下错误:
CREATE_FAILED: PostDashsignupCustomCognitoUserPool1 (Custom::CognitoUserPool)
Received response status [FAILED] from custom resource. Message returned: Role does not have a trust relationship allowing Cognito to assume the role
我已经按照无服务器文档创建了这个lambda触发器:
下面是无服务器部署——verbose命令的完整日志:
Deploying cognito-signup-service to stage stage (eu-west-1)
Packaging
Excluding development dependencies for function "post-signup"
Generating custom CloudFormation resources
Retrieving CloudFormation stack
Uploading
Uploading CloudFormation file to S3
Uploading State file to S3
Uploading service post-signup.zip file to S3 (7.62 kB)
Uploading custom CloudFormation resources
Updating CloudFormation stack
Creating new change set
Waiting for new change set to be created
Change Set did not reach desired state, retrying
Executing created change set
UPDATE_IN_PROGRESS - AWS::CloudFormation::Stack - cognito-signup-service-stage
CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
CREATE_IN_PROGRESS - AWS::Logs::LogGroup - PostDashsignupLogGroup
CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CREATE_IN_PROGRESS - AWS::Logs::LogGroup - PostDashsignupLogGroup
CREATE_COMPLETE - AWS::Logs::LogGroup - PostDashsignupLogGroup
CREATE_COMPLETE - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
CREATE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
CREATE_IN_PROGRESS - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
CREATE_IN_PROGRESS - AWS::Lambda::Function - PostDashsignupLambdaFunction
CREATE_IN_PROGRESS - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
CREATE_IN_PROGRESS - AWS::Lambda::Function - PostDashsignupLambdaFunction
CREATE_COMPLETE - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
CREATE_COMPLETE - AWS::Lambda::Function - PostDashsignupLambdaFunction
CREATE_IN_PROGRESS - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
CREATE_IN_PROGRESS - Custom::CognitoUserPool - PostDashsignupCustomCognitoUserPool1
CREATE_IN_PROGRESS - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
CREATE_COMPLETE - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
CREATE_IN_PROGRESS - Custom::CognitoUserPool - PostDashsignupCustomCognitoUserPool1
CREATE_FAILED - Custom::CognitoUserPool - PostDashsignupCustomCognitoUserPool1
UPDATE_ROLLBACK_IN_PROGRESS - AWS::CloudFormation::Stack - cognito-signup-service-stage
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS - AWS::CloudFormation::Stack - cognito-signup-service-stage
DELETE_SKIPPED - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
DELETE_IN_PROGRESS - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
DELETE_FAILED - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
DELETE_IN_PROGRESS - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
DELETE_IN_PROGRESS - AWS::Lambda::Function - PostDashsignupLambdaFunction
DELETE_COMPLETE - AWS::Lambda::Function - PostDashsignupLambdaFunction
DELETE_COMPLETE - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
DELETE_IN_PROGRESS - AWS::Logs::LogGroup - PostDashsignupLogGroup
DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
DELETE_COMPLETE - AWS::Logs::LogGroup - PostDashsignupLogGroup
DELETE_COMPLETE - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
DELETE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
DELETE_IN_PROGRESS - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
DELETE_COMPLETE - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
UPDATE_ROLLBACK_COMPLETE - AWS::CloudFormation::Stack - cognito-signup-service-stage
× Stack cognito-signup-service-stage failed to deploy (263s)
Environment: win32, node 16.17.0, framework 3.22.0 (local) 3.22.0v (global), plugin 6.2.2, SDK 4.3.2
Credentials: Local, "stage" profile
Docs: docs.serverless.com
Support: forum.serverless.com
Bugs: github.com/serverless/serverless/issues
Error:
CREATE_FAILED: PostDashsignupCustomCognitoUserPool1 (Custom::CognitoUserPool)
Received response status [FAILED] from custom resource. Message returned: Role does not have a trust relationship allowing Cognito to assume the role
下面是无服务器。yml文件:
service: cognito-signup-service
configValidationMode: error
provider:
name: aws
runtime: python3.8
region: eu-west-1
timeout: 10
stage: ${opt:stage, 'dev'}
environment:
STAGE: ${self:provider.stage}
iamRoleStatements:
- Effect: "Allow"
Action:
- "ssm:GetParameter"
Resource:
- "arn:aws:ssm:${aws:region}:${aws:accountId}:parameter/${self:provider.stage}-db-credentials-secret-arn"
- "arn:aws:ssm:${aws:region}:${aws:accountId}:parameter/${self:provider.stage}-db-*"
- Effect: "Allow"
Action:
- "secretsmanager:GetSecretValue"
Resource: "arn:aws:secretsmanager:${aws:region}:${aws:accountId}:secret:${self:provider.stage}-db-credentials-*"
functions:
post-signup:
handler: src.handlers.post_signup.handler
iamRoleStatementsInherit: true
events:
- cognitoUserPool:
pool: ${env:USER_POOL_NAME}
trigger: PostConfirmation
existing: true
forceDeploy: true
layers:
# psycopg2 layer
- arn:aws:lambda:eu-west-1:770693421928:layer:Klayers-p38-aws-psycopg2:1
# jsonschema layer
- arn:aws:lambda:eu-west-1:770693421928:layer:Klayers-p38-jsonschema:12
useDotenv: true
plugins:
- serverless-iam-roles-per-function
- serverless-dotenv-plugin
package:
individually: true
patterns:
- "!node_modules/**"
- "!src/test/**"
- "!package.json"
- "!package-lock.json"
- "!.coverage"
- "!.coveragerc"
- "!run_tests.sh"
很难确定为什么它只是没有创建触发器。在无服务器中缺少了什么。yml文件?我没有找到这个错误的解决方案,因为一段时间了。我真的很感激你的帮助。
之前在SMS配置中添加了一个角色,该角色不能更新或删除,必须手动编辑才能从控制台分配该权限。