AWS Amplify uses guest credentials, not authenticated creds, in API requests

Question

I am using the AWS Amplify library with MobileHub.

I have a Cognito User Pool connected, and an API Gateway (which communicates with Lambda functions). I'd like my users to sign before accessing resources, so I've enabled "mandatory sign-in" in MobileHub User Sign-In page, and the Cloud Logic page.

Authentication works fine, but when I send a GET request to my API, I receive this error:

"[WARN] 46:22.756 API - ensure credentials error": "cannot get guest credentials when mandatory signin enabled"

I understand that Amplify generates guest credentials, and has put these in my GET request. Since I've enabled "mandatory signin", this doesn't work.

But why is it use guest credentials? I've signed in -- shouldn't it use those credentials? How do I use the authenticated user's information?

Cheers.

EDIT: Here is the code from the Lambda function:

lambda function:

import { success, failure } from '../lib/response';
import * as dynamoDb from '../lib/dynamodb';

export const main = async (event, context, callback) => {
    const params = {
        TableName: 'chatrooms',
        Key: {
            user_id: 'user-abc', //event.pathParameters.user_id,
            chatroom_id: 'chatroom-abc',
        }
    };

    try {
        const result = await dynamoDb.call('get', params);
        if (result.Item) { 
            return callback(null, success(result.Item, 'Item found'));
        } else {
            return callback(null, failure({ status: false }, 'Item not found.'));
        }
    } catch (err) {
        console.log(err);
        return callback(null, failure({ status: false }), err);
    }
}

And these small helper functions:

response.js:

export const success = (body, message) => buildResponse(200, body, message)
export const failure = (body, message) => buildResponse(500, body, message)

const buildResponse = (statusCode, body, message=null) => ({
    statusCode: statusCode,
    headers: {
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Credentials": true
    },
    body: JSON.stringify({
        ...body,
        message: message
    })
});

dynamodb.js:

import AWS from 'aws-sdk';

AWS.config.update({ region: 'ap-southeast-2' });

export const call = (action, params) => {
    const dynamoDb = new AWS.DynamoDB.DocumentClient();
    return dynamoDb[action](params).promise();
}

Answer 1

You have to use your credentials at each request to use AWS Services : (sample code angular)

SignIn :

import Amplify from 'aws-amplify';
import Auth from '@aws-amplify/auth';

 Amplify.configure({
      Auth: {
        region: ****,
        userPoolId: *****,
        userPoolWebClientId: ******,
      }
    });

//sign in

Auth.signIn(email, password)

Request

import Auth from '@aws-amplify/auth';

from(Auth.currentCredentials())
   .pipe(
      map(credentials => {
        const documentClient = new AWS.DynamoDB.DocumentClient({
          apiVersion: '2012-08-10',
          region: *****,
          credentials: Auth.essentialCredentials(credentials)
       });

       return documentClient.query(params).promise()

      }),
      flatMap(data => {
          return data
       })
)

Answer 2

I'm following the guide "serverless-stack" and was prompt with the same warning message, I was logging in correctly and logging out correctly and did not understand why the warning message. In my case, in the Amplify.configure I skip to add the identity pool id, and that was the problem, User pools and federated identities are not the same.

(English is not my native language)

Answer 3

Have you tried checking why your SignIn request is being rejected/error prone?

Auth.signIn(username, password)
    .then(user => console.log(user))
    .catch(err => console.log(err));

// If MFA is enabled, confirm user signing 
// `user` : Return object from Auth.signIn()
// `code` : Confirmation code  
// `mfaType` : MFA Type e.g. SMS, TOTP.
Auth.confirmSignIn(user, code, mfaType)
    .then(data => console.log(data))
    .catch(err => console.log(err));

You can try this, then it would be easier for you to debug.

Answer 4

From the suggestions on the aws-amplify issues tracker, add an anonymous user to your cognito user pool and hard code the password in your app. Seems like there are other options but this is the simplest in my opinion.