Reputation: 3209
AWS : Invalid identity pool configuration. Check assigned IAM roles for this pool
I have created one user pool & identity pool.
I have used javascript sdk.
I am able to signup, send confirmation code & confirm user successfully with javascript sdk.
But when i try to sign in user with authenticate method & try to get credentials with "CognitoIdentityCredentials" by passing idToken with below code
logins[cognitoEndpoint + "/" + userPoolId] = jwtToken;
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: identityPoolId,
Logins: logins
});
it's giving me below error
Error: Invalid identity pool configuration. Check assigned IAM roles for this pool.
at Request.extractError (aws-sdk.js:104063)
at Request.callListeners (aws-sdk.js:106060)
at Request.emit (aws-sdk.js:106034)
at Request.emit (aws-sdk.js:105121)
at Request.transition (aws-sdk.js:104843)
at AcceptorStateMachine.runTo (aws-sdk.js:108480)
at aws-sdk.js:108492
at Request.<anonymous> (aws-sdk.js:104859)
at Request.<anonymous> (aws-sdk.js:105123)
at Request.callListeners (aws-sdk.js:106070)
I have given administrator access to "Unauthenticated role" & "Unauthenticated role" of identity pool and to user whose credentials i am using.
I am new to aws. Can anyone tell me what am i missing?
Any help would be appreciated.
Upvotes: 46
Views: 33044
Answers (8)
Reputation: 1
Using Claim mapping must add these in IAM role policy "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ],
Upvotes: 0
Reputation: 753
I deactivated the Claim mapping inside Identity pools > User access -> Identity Providers -> Attributes for access control -> Claim mapping and worked again.
Upvotes: 12
Reputation: 127
I had this issue when I manually added additional roles in Cognito to the already existing. (previously created with amplify CLI)
TLDR: Don't manually create groups and roles if you're going to be using them for Amplify.
My accounts which had this error included the following attributes in that JWT. (you can go to jwt.io and see your attributes)
"cognito:roles": [
"arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*"
],
"cognito:preferred_role": "arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*",
Then I found these roles and I tried to verify if they have correct conditions attached to them:
"Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-west-2:<COGNITO_IDENTITY_POOL_ID>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } }
After a few hours of verifing the roles, configuring them it started finally working.
Lessons learned: It's possible to fix them manually too.
Then I manually deleted the groups in Cognito I've created along with the roles associated with them and then recreated it via the Amplify CLI from scratch. It worked like a charm. Apart from that in this way Amplify will maintains them, when I change configs etc.
Upvotes: 1
Reputation: 21
If you are using OpenID, disable attributes for access control and error will be gone
Upvotes: 2
Reputation: 111
I had this error working with amplify. I noticed that the error appeared after I created Cognito User Roles from amplify cli. What I did was, delete these roles from CLI and create again from AWS Console and it worked fine!
Upvotes: 0
Reputation: 649
When you create role in IAM and choose identity provider, make sure you don't choose user pool id, instead, you have to choose identity pool id.
Upvotes: 1
Reputation: 1991
Check that the role you have assigned in Cognito Identity Pools (Federated Identities), has a trust relationship with the identity pool.
Get the identity pool ID + the name of the role that isn't working. To do this:
- Go to Cognito
- Select Manage Federated Identities
- Select the identity pool
- Click Edit identity pool (top right)
- Make a note of the identity pool ID
- Make a note of the name of the role that isn't working (e.g. Cognito_blahUnauth_Role
In IAM, check the trust relationship for the role. Ensure that the StringEquals condition value matches the identity pool ID.
To do this:
- Go to IAM
- Click Roles
- Click the name of the role that you noted previously
- Click Trust relationships
- On the right under Conditions, check the StringEquals condition contains the identity pool Id that you noted previously.
Edit the trust relationship to fix.
Upvotes: 125
Reputation: 193
What you're trying to access here are "Cognito Federated Identity" credentials, which is a separate AWS product to "Cognito User Pools". In-order to retrieve these credentials, you need to connect your User Pool to your Federated Identity Pool.
Perhaps this link will help: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html
Also, I would remove admin access from Unauthenticated permissions, it means anyone with your details has control of your AWS account.
Upvotes: 3
Related Questions
- AWS Cognito Invalid identity pool configuration
- AWS Cognito Error: 'identityPoolId' failed to satisfy constraint
- Identity Pool creation error on AWS console
- Angular 6 aws-sdk only cognito identity credentials use
- Problem with SDK amazon-cognito-identity-js
- AWS Cognito Identity NotAuthorizedException
- AWS Cognito Authentication Returns Error - Javascript SDK
- Error: Missing credentials in config in my Angular 4 application
- AWS Lambda can't call Cognito Identity - IAM Role
- Error : This identity pool does not support the specified developer provider