Can't set writeable or readable properties on user pool client


I am trying to configure my user pool client to have write access to user pool attributes. The following code works fine if I comment out the WriteAttributes property, but by default AWS doesn’t set write access to custom attributes, which in this case I have one which is called role. But when I leave it in, I get this error:

An error occurred while provisioning your stack: WebAppUserPoolWebClient - Invalid write attributes specified while updating a client (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidParameterException;

I’m not sure what is wrong. On the AWS docs it says I need to provide a string, but it doesn’t mention what format it should be in exactly. I’ve tried just role, even "role" but nothing seems to work and I always get that same error. Any help would be appreciated.

  Type: "AWS::Cognito::UserPoolClient"
      ClientName: Web
      GenerateSecret: false
        Ref: WebAppUserPool
        - custom:role

I figured it out. If you have a custom attribute, you need to define it as "custom:<attribute>" where <attribute> is your custom attribute. It must be wrapped in quotes!


One more thing here: You must not include the “custom:” prefix in the Name when you actually define the Schema attribute, or else it’ll end up getting called “custom:custom:attributename” and you’ll get the error “Invalid read attributes specified while creating a client” or “Invalid write attributes specified while creating a client” when you go to reference it in ReadAttributes/WriteAttributes.

1 Like

Thank you , I mean it , THANK you.