Serverless deploy error: Role does not have a trust relationship allowing Cognito to assume the role

shwetajoshi601 · April 14, 2023, 12:38pm

I have an existing Cognito User Pool. When a user signs up through the web app, I want this user ID to get added into our Postgres DB.
For this, I have written a Lambda function which should get triggered after the user confirms their email address. However, on trying to deploy this function using the serverless framework, I get the following error:

    CREATE_FAILED: PostDashsignupCustomCognitoUserPool1 (Custom::CognitoUserPool)
Received response status [FAILED] from custom resource. Message returned: Role does not have a trust relationship allowing Cognito to assume the role

I have followed the serverless docs to create this lambda trigger: Using Existing Pools

Following is the complete log of serverless deploy --verbose command:

Deploying cognito-signup-service to stage stage (eu-west-1)

Packaging
Excluding development dependencies for function "post-signup"
Generating custom CloudFormation resources
Retrieving CloudFormation stack
Uploading
Uploading CloudFormation file to S3
Uploading State file to S3
Uploading service post-signup.zip file to S3 (7.62 kB)
Uploading custom CloudFormation resources
Updating CloudFormation stack
Creating new change set
Waiting for new change set to be created
Change Set did not reach desired state, retrying
Executing created change set
  UPDATE_IN_PROGRESS - AWS::CloudFormation::Stack - cognito-signup-service-stage
  CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
  CREATE_IN_PROGRESS - AWS::Logs::LogGroup - PostDashsignupLogGroup
  CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
  CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
  CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
  CREATE_IN_PROGRESS - AWS::Logs::LogGroup - PostDashsignupLogGroup
  CREATE_COMPLETE - AWS::Logs::LogGroup - PostDashsignupLogGroup
  CREATE_COMPLETE - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
  CREATE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
  CREATE_IN_PROGRESS - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
  CREATE_IN_PROGRESS - AWS::Lambda::Function - PostDashsignupLambdaFunction
  CREATE_IN_PROGRESS - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
  CREATE_IN_PROGRESS - AWS::Lambda::Function - PostDashsignupLambdaFunction
  CREATE_COMPLETE - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
  CREATE_COMPLETE - AWS::Lambda::Function - PostDashsignupLambdaFunction
  CREATE_IN_PROGRESS - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
  CREATE_IN_PROGRESS - Custom::CognitoUserPool - PostDashsignupCustomCognitoUserPool1
  CREATE_IN_PROGRESS - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
  CREATE_COMPLETE - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
  CREATE_IN_PROGRESS - Custom::CognitoUserPool - PostDashsignupCustomCognitoUserPool1
  CREATE_FAILED - Custom::CognitoUserPool - PostDashsignupCustomCognitoUserPool1
  UPDATE_ROLLBACK_IN_PROGRESS - AWS::CloudFormation::Stack - cognito-signup-service-stage
  UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS - AWS::CloudFormation::Stack - cognito-signup-service-stage
  DELETE_SKIPPED - AWS::Lambda::Version - PostDashsignupLambdaVersionj0JUrdtyYVkJtCoc0cT2GnzKGO2yz469YbZ58Jhw
  DELETE_IN_PROGRESS - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
  DELETE_FAILED - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
  DELETE_IN_PROGRESS - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
  DELETE_IN_PROGRESS - AWS::Lambda::Function - PostDashsignupLambdaFunction
  DELETE_COMPLETE - AWS::Lambda::Function - PostDashsignupLambdaFunction
  DELETE_COMPLETE - AWS::Lambda::Function - CustomDashresourceDashexistingDashcupLambdaFunction
  DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
  DELETE_IN_PROGRESS - AWS::Logs::LogGroup - PostDashsignupLogGroup
  DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
  DELETE_COMPLETE - AWS::Logs::LogGroup - PostDashsignupLogGroup
  DELETE_COMPLETE - AWS::IAM::Role - IamRoleCustomResourcesLambdaExecution
  DELETE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
  DELETE_IN_PROGRESS - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
  DELETE_COMPLETE - AWS::CloudFormation::CustomResource - PostDashsignupCustomCognitoUserPool1
  UPDATE_ROLLBACK_COMPLETE - AWS::CloudFormation::Stack - cognito-signup-service-stage

× Stack cognito-signup-service-stage failed to deploy (263s)
Environment: win32, node 16.17.0, framework 3.22.0 (local) 3.22.0v (global), plugin 6.2.2, SDK 4.3.2
Credentials: Local, "stage" profile
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
CREATE_FAILED: PostDashsignupCustomCognitoUserPool1 (Custom::CognitoUserPool)
Received response status [FAILED] from custom resource. Message returned: Role does not have a trust relationship allowing Cognito to assume the role

Following is the serverless.yml file:

service: cognito-signup-service
configValidationMode: error
provider:
  name: aws
  runtime: python3.8
  region: eu-west-1
  timeout: 10
  stage: ${opt:stage, 'dev'}
  environment:
    STAGE: ${self:provider.stage}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "ssm:GetParameter"
      Resource:
        - "arn:aws:ssm:${aws:region}:${aws:accountId}:parameter/${self:provider.stage}-db-credentials-secret-arn"
        - "arn:aws:ssm:${aws:region}:${aws:accountId}:parameter/${self:provider.stage}-db-*"
    - Effect: "Allow"
      Action:
        - "secretsmanager:GetSecretValue"
      Resource: "arn:aws:secretsmanager:${aws:region}:${aws:accountId}:secret:${self:provider.stage}-db-credentials-*"

functions:
  post-signup:
    handler: src.handlers.post_signup.handler
    iamRoleStatementsInherit: true
    events:
      - cognitoUserPool:
          pool: ${env:USER_POOL_NAME}
          trigger: PostConfirmation
          existing: true
          forceDeploy: true
    layers:
      # psycopg2 layer
      - arn:aws:lambda:eu-west-1:770693421928:layer:Klayers-p38-aws-psycopg2:1
      # jsonschema layer
      - arn:aws:lambda:eu-west-1:770693421928:layer:Klayers-p38-jsonschema:12

useDotenv: true

plugins:
  - serverless-iam-roles-per-function
  - serverless-dotenv-plugin

package:
  individually: true
  patterns:
    - "!node_modules/**"
    - "!src/test/**"
    - "!package.json"
    - "!package-lock.json"
    - "!.coverage"
    - "!.coveragerc"
    - "!run_tests.sh"

Its hard to identify why it is only failing to create the trigger. Is something missing in the serverless.yml file?
I have not found a solution to this error since a while now. I would really appreciate some help.

Topic		Replies	Views
Serverless deploy error: Role does not have a trust relationship allowing Cognito to assume the role Serverless Framework	0	613	April 14, 2023
AWS Lambda and Cognito error on deploy: Only one request to update this UserPool can be processed at a time Serverless Framework aws , lambda	0	510	August 11, 2019
Using a serverless function for cognito trigger Serverless Framework	2	5589	May 22, 2017
How can I test an AWS lambda that is triggered by a Cognito PostConfirmation event? Serverless Framework aws , lambda	0	1379	April 26, 2020
How to modify update trust relationship of lambda execution role? Serverless Framework aws , lambda , cloudformation , iam	0	259	November 10, 2023

Serverless deploy error: Role does not have a trust relationship allowing Cognito to assume the role

Related topics