Cognito User Pool trigger event


#1

Anyone was able to make the Cognito User Pool trigger work? (https://serverless.com/framework/docs/providers/aws/events/cognito-user-pool/)

I have something like this in my serverless.yml:

  changeActivationMessage:
    handler: functions/changeActivationMessage.main
    events:
      - cognitoUserPool:
          pool: MyUserPool
          trigger: CustomMessage

resources:
  Resources:
    CognitoUserPoolMyUserPool:
       Type: "AWS::Cognito::UserPool"
         Properties:

But now I’m getting the error:
The CloudFormation template is invalid: Circular dependency between resources…

Thanks


#2

Hi @dbeja,

I don’t see any problems in the snippet you provided. Do you have more resources defined in serverless.yml?

I can post my working example of serverless.yml for cognito - it’s quite long though.

Cheers
Igor


#3

Yes @igorkosta, that would be helpful.
My serverless.yml is also quite long and split in multiple files.

The other parts I have in resources are a User Pool Client, and a Cognito Identity:

baCognitoUserPoolClient:
  Type: "AWS::Cognito::UserPoolClient"
  Properties:
    ClientName: ${self:provider.stage}_baCognitoUserPool_Client
    ExplicitAuthFlows:
      - ADMIN_NO_SRP_AUTH
    GenerateSecret: false
    UserPoolId:
      Ref: CognitoUserPoolMyUserPool

baCognitoIdentityPool:
  Type: AWS::Cognito::IdentityPool
  Properties:
    IdentityPoolName: ${self:provider.stage}_baCognitoIdentityPool
    AllowUnauthenticatedIdentities: false
    CognitoIdentityProviders:
      - ClientId:
          Ref: baCognitoUserPoolClient
        ProviderName:
          Fn::GetAtt: [CognitoUserPoolMyUserPool, ProviderName]

#4

not sure if you saw this example already - I took almost everything from it (I hope it helps):

I am not using the IndentityPool with cognito, so I’m not sure if I really can help.

Nevertheless, if it doesn’t help, ping me again and I’ll try to help.


#5

we are trying to automatically create cognito user pool by specifying cloudformation resources and including that to the serverless.yml, pretty much a similar scenario. We were facing the circular dependency issue when we tried referring the preauth trigger to the user pool and provide an IamRoleStatement for the lambda to invoke the cognito user pool, something like the below statement:

iamRoleStatements: [
{
Effect: ‘Allow’,
Action: [‘cognito-idp:*’],
Resource: {
‘Fn::Join’: [
‘’,
[
‘arn:aws:cognito-idp:’,
{
Ref: ‘AWS::Region’,
},
‘:’,
{
Ref: ‘AWS::AccountId’,
},
‘:’,
‘userpool/’,
‘{
Ref: ‘CognitoUserPoolMyUserPool’,
},’
],
],
},
}

This causes a circular dependency between the resources, even referring through {‘Fn::GetAtt’ : [‘CognitoUserPoolMyUserPool’, ‘Arn’]} or ${self:custom.env.USER_POOL_ARN}’ didn’t work. Do you have any suggestions to this?


#6

When this happens the best option is usually to use https://github.com/functionalone/serverless-iam-roles-per-function so each function gets their own set of permissions instead of all sharing the one setup.


#7

@buggy thanks for your input. This does work using the serverless-iam-roles-per-function. It fixed the circular dependency issue.