Properly setting up IdentityPoolRoleAttachment

aws

#1

Hey,
I’m trying to setup AWS Cognito properly, this is what I’ve done:

  1. UserPool
  2. IdentityPool
  3. All the roles for all the different federated identities

Having an issue with IdentityPoolRoleAttachment, on deploy I get:

ServerlessError: An error occurred: CognitoIdentityPoolRoleAttachment - Internal Failure.

The resource itself looks like this:

CognitoIdentityPoolRoleAttachment:
  DependsOn: UserPoolAuthenticatedRole
  Type: AWS::Cognito::IdentityPoolRoleAttachment
  Properties:
    IdentityPoolId:
      Ref: CognitoIdentityPoolStandardUserIdentityPool
    RoleMappings:
      "cognito-identity.amazonaws.com":
        AmbiguousRoleResolution: AuthenticatedRole
        RulesConfiguration:
          Rules:
            - UserPoolAuthenticatedRole
            - UserPoolUnauthenticatedRole
      "graph.facebook.com":
        AmbiguousRoleResolution: AuthenticatedRole
        RulesConfiguration:
          Rules:
            - FacecookAuthenticatedRole
            - FacecookUnauthenticatedRole
      "accounts.google.com":
        AmbiguousRoleResolution: AuthenticatedRole
        RulesConfiguration:
          Rules:
            - GoogleAuthenticatedRole
            - GoogleUnauthenticatedRole

Have I understood it correctly that each federated identity must have its own role? Is my syntax for the roles simply off? Or do I need one attachment per identity (using the Roles/auth/unauth property)?


#2

Hi,

I’m getting same error, could you solve it yet?

My Cognito resource:

Resources:
  CognitoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: Rating${self:custom.stage}IdentityPool
      AllowUnauthenticatedIdentities: true
      CognitoIdentityProviders:
        - ClientId:
            Ref: CognitoUserPoolClient
          ProviderName:
            Fn::GetAtt: [ CognitoUserPool, ProviderName ]

  CognitoIdentityPoolRoles:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId:
        Ref: CognitoIdentityPool
      Roles:
        authenticated:
          Fn::GetAtt: [ CognitoAuthRole, Arn ]
      RoleMappings:
        AmbiguousRoleResolution: Deny
        Type: Rules
        RulesConfiguration:
          Rules:
          - Claim: custom:role
            MatchType: Equals
            Value: viewer
            RoleARN:
              Fn::GetAtt: [ CognitoAuthRole, Arn ]
          - Claim: custom:role
            MatchType: Equals
            Value: editor
            RoleARN:
              Fn::GetAtt: [ CognitoAuthRole, Arn ]

Outputs:
  IdentityPoolId:
    Value:
      Ref: CognitoIdentityPool

Error message:

  Serverless Error ---------------------------------------
 
  An error occurred: CognitoIdentityPoolRoles - Internal Failure.
 
  Stack Trace --------------------------------------------
 
ServerlessError: An error occurred: CognitoIdentityPoolRoles - Internal Failure.
    at provider.request.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/monitorStack.js:112:33)
From previous event:
    at AwsDeploy.monitorStack (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/monitorStack.js:26:12)
    at provider.request.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:95:30)
From previous event:
    at AwsDeploy.update (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:95:8)
From previous event:
    at AwsDeploy.BbPromise.bind.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:112:12)
From previous event:
    at AwsDeploy.updateStack (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:106:8)
From previous event:
    at AwsDeploy.BbPromise.bind.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:129:39)
From previous event:
    at Object.aws:deploy:deploy:updateStack [as hook] (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:125:10)
    at BbPromise.reduce (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:55)
From previous event:
    at PluginManager.invoke (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:22)
    at PluginManager.spawn (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:408:17)
    at AwsDeploy.BbPromise.bind.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:95:48)
From previous event:
    at Object.deploy:deploy [as hook] (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:91:10)
    at BbPromise.reduce (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:55)
From previous event:
    at PluginManager.invoke (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:22)
    at PluginManager.run (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:421:17)
    at variables.populateService.then.then (/sls-1.29.2/node_modules/serverless/lib/Serverless.js:157:33)
    at runCallback (timers.js:794:20)
    at tryOnImmediate (timers.js:752:5)
    at processImmediate [as _immediateCallback] (timers.js:729:5)
From previous event:
    at Serverless.run (/sls-1.29.2/node_modules/serverless/lib/Serverless.js:144:8)
    at serverless.init.then (/sls-1.29.2/node_modules/serverless/bin/serverless:43:50)
    at <anonymous>
 
  Your Environment Information -----------------------------
     OS:                     linux
     Node Version:           8.10.0
     Serverless Version:     1.29.2
 

2018/11/03 02:11:08 Error: exec: internal error

#3

Dear Team,
I am experiencing similar issue, Is this problem solved? my cloudformation template looks like:
Without RoleMappings property is is working.

RavidIdentityPoolRoleAttachment:
DependsOn:
- CognitoIdentityPoolId
- CognitoIPUnAuthorizedRole
- CognitoIPAuthorizedRole
Type: ‘AWS::Cognito::IdentityPoolRoleAttachment’
Properties:
IdentityPoolId: !Ref CognitoIdentityPoolId
RoleMappings:
AmbiguousRoleResolution: AuthenticatedRole
Type: Rules
RulesConfiguration:
Rules:
- Claim: email
MatchType: Contains
RoleARN: !GetAtt CognitoClaimRoleRavid.Arn
Value: ‘testemail’
Roles:
authenticated: !GetAtt CognitoIPAuthorizedRole.Arn
unauthenticated: !GetAtt CognitoIPUnAuthorizedRole.Arn