Sorry forgot to update. I had it figured out - I had the arn resource name missing a dash in the name cognito-identity.amazonaws.com:sub
1 Like
@jayair Could you share some code that shows how to set up different user groups? It seems like right now the code in the tutorial is set up to allow any authenticated user access to any resource. But I would love to separate users into multiple groups, where different groups have different permissions in terms of what data they can edit. Thank you in advance for your help!
Glad you figured it out. Did you get the API ones working as well?
This one is tricky. You can use User Pool Groups but it isn’t very easy to use. Depending on the type of data, I would suggest managing these roles in your own code.
Yes Jay, API is working as well! 
1 Like
Hi, there seems to be an error in the tutorial, in the final “Resource” block of the of the IAM policy for Cognito_notesAuth_Role. The final block’s resource arn should have a trailing /* rather than a trailing /*/*/*. Here’s the corrected policy block:
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:YOUR_API_GATEWAY_REGION:*:YOUR_API_GATEWAY_ID/*"
]
}
This error in the tutorial seems to lead to a common cryptic error in the ‘Test the APIs’ section (https://serverless-stack.com/chapters/test-the-apis.html).
1 Like
This solved my issue, thanks!
Hmm that’s weird. What was the error you got?