Reputation: 21
Web Interface for AWS Cognito Identity Pool Not Saving Changes For Authenticated Provider Role Selection
In an identity pool in AWS Cognito I am trying to make users assume an IAM Role based on the group that they belong to in an user pool. Whenever I select Edit Identity Pool > Authentication Providers > "Choose Role From Token" and then click save changes, I get a banner at the top of my screen saying changes saved successfully, but if I go back and look at the settings they have returned to "Use Default Role" instead of "Choose Role From Token". Is this a bug, do I have something configured wrong where that is an invalid option, or another potential issue? Here is an image of what settings I select and want to take effect Here is the state that it currently is and what it returns to after I press save changes
Upvotes: 2
Views: 783
Answers (3)
Reputation: 31
AWS CLI Command for Setting Identity Pool Role with Option "Choose Role From Token"
aws cognito-identity set-identity-pool-roles --identity-pool-id "IDENTITY POOL ID" --roles authenticated="Auth IAM Role ARN",unauthenticated="UnAuth IAM Role ARN" --role-mappings cognito-idp.<<AWS REGION>>.amazonaws.com/<<USER POOL ID>>:<< APP CLIENT ID>>="{Type="Token", AmbiguousRoleResolution="Deny"}"
Upvotes: 1
Reputation: 1
I had same problem with UI, thanks for this post, I tried the CLI.
identity_roles.json
{
"IdentityPoolId": "us-east-1:pool_id",
"Roles": {
"unauthenticated": "arn:aws:iam::account_id:role/UnAuthDefaultRole",
"authenticated": "arn:aws:iam::account_id:role/AuthDefaultRole"
},
"RoleMappings": {
"cognito-idp.us-east-1.amazonaws.com/user-pool-id:app-id": {
"Type": "Token",
"AmbiguousRoleResolution": "AuthenticatedRole"
}
}
}
aws cognito-identity get-identity-pool-roles --identity-pool-id us-east-1:identity_pool_id
aws cognito-identity set-identity-pool-roles --cli-input-json file://pwd/identity_roles.json
Upvotes: 0
Reputation: 21
I am confident that this must be a bug with the AWS web console and not a fault of my own. After trouble shooting as much as I could, I set up the AWS CLI and ran the necessary commands from there and it worked on the first try. After revisiting the page in the AWS web console the changes were reflected properly and my authentication now works properly.
Upvotes: 0
Related Questions
- Add AWS IAM users to AWS Cognito Pool
- Cognito save changes in user pool is not working
- Cognito Userpool as identy provider with client credentials works only after saving in aws console
- Change cognito user pool user status
- Cognito User Pool Groups not working with different roles
- IdentityPoolRoleAttachment Resource cannot be updated
- Logged in cognito users don't show up in identity pool
- Cognito User Pool doesn't Retain users
- User Pool with Cognito using IAM Users
- AWS Cognito, Failure to Integrate a User in a User Pool with an Identity Pool