Reputation: 319
Creating an IAM service role to allow Amazon Cognito to send SMS messages for MFA
I'm trying to setup Congito to manage my user pool and setup phone verification. Unforunately, the AWS docs seem out of date.
According to this doc, I should see a create IAM role button on my coginto page, but it isn't there: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html
I am guessing they removed the option, but I also don't see a way to manually create the proper role. Cognito isn't listed as one of the services you can create role for.
There is a Web identity tab in the above image, so I tried to use that. Sure enough, there is an option to create a role, and even give it the SNS access needed to send SMS, but it isn't a service role. The ARN that is generated does not have the /service-role/ path that the first image has. I can't figure out any way to change the arn to include it and if I just try to run my application without it, I still get the error message:
[00:20:30] error signing up Object { [00:20:30] "code": "InvalidSmsRoleTrustRelationshipException", [00:20:30] "message": "Role does not have a trust relationship allowing Cognito to assume the role", [00:20:30] "name": "InvalidSmsRoleTrustRelationshipException", [00:20:30] }
Is Cognito broken right now?? I'm sure I'm missing something...
Upvotes: 4
Views: 6419
Answers (3)
Reputation: 3656
Like answered here you must use the CLI to create a service role with the --path flag in order to get that prefix. However, even after creating this, it will still not work for Cognito. Yes, there is an ExternalId value that could be set to what it used to be if you were to call cognito-idp get-user-pool-mfa-config --user-pool-id=...
However, even if you do update it to reflect the very same ID, it still might not work (didn't for me). So here's the trick. Have AWS web console re-create the role for you. Just use a brand new user pool to do it.
Ensure you have the old role removed. Set up a new user pool, enable MFA and at the bottom of that settings page you will see an input box with a button "Create Role" ensure the name is what our previous name was (don't even think the slashes are allowed here anyway).
This will create the IAM role. Next, you must then edit it and put back that original ExternalId value. Again, you can find this by using the get-user-pool-mfa-config command.
Note now that the new pool you created will now have the same problem. It won't allow settings to be changed because it will still think the role is in the process of being created. However, your old pool will be just fine. You can issue another CLI command to completely disable MFA for this new pool if you need/want with aws cognito-idp set-user-pool-mfa-config --user-pool-id=xxx --region=xxx--mfa-configuration OFF and/or simply delete this temporary user pool that you created solely to re-create the deleted role.
Upvotes: 1
Reputation: 21
To re-populate the cognito role you've deleted you have to use the aws cli, it is not possible in the web interface.
aws iam create-role --path /service-role/ --role-name words --assume-role-policy-document file://morewords
Upvotes: 2
Reputation: 8484
I've just had a try and I get the "create role" button, but looking at your UI you've already created the role, at which point AWS hides it and just shows the arn of the role that's been created.
That said, if you need to re-create it from scratch for whatever reason, you can do so; however you'll have to leave the visual editor. The easiest way to assign whatever to the trust relationship page, and then once the role has been created, select it, switch to the Trust Relationships tab, press Edit Trust Relationship and then replace the json with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "generate-your-own-uuid-here"
}
}
}
]
}
n.b. for completeness the inline policy for the role should also be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:publish"
],
"Resource": [
"*"
]
}
]
}
Upvotes: 6
Related Questions
- Is it possible to configure AWS Cognito to send SMS messages from a different AWS account?
- What permissions are required to create Cognito User Pool with SMS MFA?
- Defining proper IAM role for Cognito SMS using Terraform
- AWS Cognito - Enabling MFA | Error: MFA cannot be turned off if an SMS role is configured
- Amazon Cognito isn't delivering SMS text messages to my app's users
- Error trying to enable SMS MFA factor in AWS Cognito
- IAM policy allowing SMS publishing but not denying all SNS
- Configure a Custom SMS Message for MFA in AWS Cognito
- AWS Cognito SMS Role : Cannot create or assign a new role
- How to setup SMS configuration in AWS Cognito?