Cognito CreateUserPool does not respond

lambda
#1

Calling the cognito identity service provider seems to never respond by callback when executed by my lambda function. I’d seen errors due to incorrect parameters and once those cleaned up I never get a response. Neither err or data is received.

cognitoidentityserviceprovider.createUserPool(params, function (err, data) {
if (err) {
console.error(err);
reject(err);
} else {
console.log(data);
resolve(data);
}
});

#2

Hi, can you provide the whole function?

#3

export async function reg(event, context) {
try {
console.log(‘awaiting on createUserPool’);
let myResult = await createUserPool(‘hardcoded-tenant-id-1’,context);
if(myResult){
console.log(myResult);
return success(myResult)
}else{
console.log(‘nope’)
return failure({status: false});
}
} catch (e) {
console.log(‘exception calling createUserPool’);
console.error(e);
return failure({ status: false });
}
}

/**

  • Create a new User Pool for a new tenant

  • @param tenantId The ID of the new tenant

  • @param callback Callback with created tenant results
    */
    function createUserPool (tenantId,context) {

    console.log(‘invokedFunctionArn’,context.invokedFunctionArn);

    const functionArnCols = context.invokedFunctionArn.split(’:’)
    const region = functionArnCols[3]
    const accountId = functionArnCols[4]

    var promise = new Promise(function(resolve, reject) {

     // init the service provider and email message content
     AWS.config.region = 'us-east-1'; // Region
     AWS.config.credentials = new AWS.CognitoIdentityCredentials({
         IdentityPoolId: '...'
     });
    
     AWSCognito.config.region = 'us-east-1';
     AWSCognito.config.credentials = new AWS.CognitoIdentityCredentials({
         IdentityPoolId: '...'
     });
    
     AWSCognito.config.update({
         accessKeyId: 'redacted',
         secretAccessKey: 'redacted'
     })
    
     var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({
         apiVersion: '2016-04-18',
         region: 'us-east-1'     //configuration.aws_region
     });
    
     // let SnsArn = 'arn:aws:sns:' + region + ':' + accountId + ':' + TOPIC_NAME // ; //configuration.role.sns;
     let SnsArn = 'arn:aws:sns:us-east-1:redacted:sns-user-reg-topic';
     console.log(SnsArn);
    
     //Invite Message:
     var inviteMessage = '<img src="https://d0.awsstatic.com/partner-network/logo_apn.png" alt="AWSPartner"> <br><br>Welcome to the AWS QuickStart for SaaS Identity, featuring Cognito. <br><br>Login to the Multi-Tenant Identity Reference Architecture. <br><br>Username: {username} <br><br>Password: {####}';
     var emailSubject = 'AWS-QuickStart-SaaS-Identity-Cognito';
     // init JSON structure with pool settings
     var params = {
         PoolName: tenantId, /* required */
         AdminCreateUserConfig: {
             AllowAdminCreateUserOnly: true,
             InviteMessageTemplate: {
                 EmailMessage: inviteMessage,
                 EmailSubject: 'emailSubject'
                 // SMSMessage: 'STRING_VALUE'
             },
             UnusedAccountValidityDays: 90
         },
         AliasAttributes: [
             'phone_number'
         ],
         AutoVerifiedAttributes: [
             'email',
             'phone_number'
             /* more items */
         ],
         MfaConfiguration: 'OFF',
         Policies: {
             PasswordPolicy: {
                 MinimumLength: 8,
                 RequireLowercase: true,
                 RequireNumbers: true,
                 RequireSymbols: false,
                 RequireUppercase: true
             }
         },
         Schema: [
             {
                 AttributeDataType: 'String',
                 DeveloperOnlyAttribute: false,
                 Mutable: false,
                 Name: 'tenant_id',
                 NumberAttributeConstraints: {
                     MaxValue: '256',
                     MinValue: '1'
                 },
                 Required: false,
                 StringAttributeConstraints: {
                     MaxLength: '256',
                     MinLength: '1'
                 }
             },
             /* more items */
             {
                 AttributeDataType: 'String',
                 DeveloperOnlyAttribute: false,
                 Mutable: true,
                 Name: 'tier',
                 NumberAttributeConstraints: {
                     MaxValue: '256',
                     MinValue: '1'
                 },
                 Required: false,
                 StringAttributeConstraints: {
                     MaxLength: '256',
                     MinLength: '1'
                 }
             },
             {
                 Name: "email",
                 Required: true
             },
             {
                 AttributeDataType: 'String',
                 DeveloperOnlyAttribute: false,
                 Mutable: true,
                 Name: 'company_name',
                 NumberAttributeConstraints: {
                     MaxValue: '256',
                     MinValue: '1'
                 },
                 Required: false,
                 StringAttributeConstraints: {
                     MaxLength: '256',
                     MinLength: '1'
                 }
             },
             {
                 AttributeDataType: 'String',
                 DeveloperOnlyAttribute: false,
                 Mutable: true,
                 Name: 'role',
                 NumberAttributeConstraints: {
                     MaxValue: '256',
                     MinValue: '1'
                 },
                 Required: false,
                 StringAttributeConstraints: {
                     MaxLength: '256',
                     MinLength: '1'
                 }
             },
             {
                 AttributeDataType: 'String',
                 DeveloperOnlyAttribute: false,
                 Mutable: true,
                 Name: 'account_name',
                 NumberAttributeConstraints: {
                     MaxValue: '256',
                     MinValue: '1'
                 },
                 Required: false,
                 StringAttributeConstraints: {
                     MaxLength: '256',
                     MinLength: '1'
                 }
             }
         ],
         SmsConfiguration: {
             SnsCallerArn: SnsArn, /* required */
             ExternalId: 'QuickStartTest'
         },
         UserPoolTags: {
             someKey: tenantId
             /* anotherKey: ... */
         }
     };
    
     // resolve('this is manually resolved');
    
     // create the pool
     try{
         cognitoidentityserviceprovider.createUserPool(params, function (err, data) {
             if (err) {
                 console.error(err);
                 reject(err);
             } else {
                 console.log(data);
                 resolve(data);
             }
         });
     } catch (cupE){
         console.log(cupE);
         reject(cupE);
     }
    

    });

    return promise;
    }

#4

Running offline I now see that I have this error. But I don’t see that online.

‘Role arn does not belong to your account.’

Online just reports that the function timed out in 6 seconds.

#5

What about your console.log/error calls? Have seen any logs?

#6

That’s an interesting point also. The logs in the promise callbacks or after the return of await do not show up anywhere in CloudWatch when running online. Offline they work fine in the terminal where I’m running serverless. That’s where I see message: ‘Role arn does not belong to your account.’,
code: ‘NotAuthorizedException’,

#7

I feel I need to fix my serverless.yml to set the correct authorization but I can’t find what I need to have there.

iamRoleStatements:
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- cognito-identity:CreateIdentityPool

#8

interesting, I would try to move try { to the top of the promise part, right before // init the service provider and email message content + add a few more console.log before each new AWS....