I am working on a snippet of code that interacts with an API call to my AWS instance for cognito, it runs the following snippet:
public function getCognitoIDPSettings(LoggerInterface $logger, string $cognitoCustomerUserpoolIDP): array
{
$body = json_encode([
'cognito_customer_user_pool_idp_id' => $cognitoCustomerUserpoolIDP,
]);
$url = COGNITO_API_INVOKE_URL . '/idp/get';
$response = $this->postFunction($logger, $url, $body, 'application/json');
$this->checkResponseStatus($response);
$body = json_decode($response->getContent(), true);
if (JSON_ERROR_NONE !== json_last_error()) {
throw new JsonException("failed decoding response from cognito api");
}
return $body;
}
When it is hitting the:
$response = $this->postFunction($logger, $url, $body, 'application/json');
It is erroring with:
Error: "Got an error from API: u0027{u0022messageu0022: u0022Internal server erroru0022}u0027 with error code 0"
File: /var/www/billing/src/Domain/Auth/CognitoAPIFacade.php
Line: 398
This error isn’t very indicative so I jumped into the Cloudwatch and found:
I can see it’s an "Access Denied" error but I want to dig deeper into where this is occurring or if there’s a way I can best further diagnose this, any ideas of people facing a similar problem and can provide some useful guidance?
2
Answers
The resolution for this was that it wasn't actually an access denied issue, it was masqueraded as I was passing the incorrect ID, it's an AWS security layer to return as an Access Denied rather than an Incorrect ID.
If AWS was to return a Incorrect ID error it enables brute force attacks to be more effective.
AWS has a large tutorial on how to troubleshoot Access Denied errors. Basically: Check CloudTrail.
My assumption would be that your lambda is just lacking the correct IAM permissions to access the resource.