Hey,
I’m trying to setup AWS Cognito properly, this is what I’ve done:
- UserPool
- IdentityPool
- All the roles for all the different federated identities
Having an issue with IdentityPoolRoleAttachment, on deploy I get:
ServerlessError: An error occurred: CognitoIdentityPoolRoleAttachment - Internal Failure.
The resource itself looks like this:
CognitoIdentityPoolRoleAttachment:
DependsOn: UserPoolAuthenticatedRole
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPoolStandardUserIdentityPool
RoleMappings:
"cognito-identity.amazonaws.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- UserPoolAuthenticatedRole
- UserPoolUnauthenticatedRole
"graph.facebook.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- FacecookAuthenticatedRole
- FacecookUnauthenticatedRole
"accounts.google.com":
AmbiguousRoleResolution: AuthenticatedRole
RulesConfiguration:
Rules:
- GoogleAuthenticatedRole
- GoogleUnauthenticatedRole
Have I understood it correctly that each federated identity must have its own role? Is my syntax for the roles simply off? Or do I need one attachment per identity (using the Roles/auth/unauth property)?
Hi,
I’m getting same error, could you solve it yet?
My Cognito resource:
Resources:
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: Rating${self:custom.stage}IdentityPool
AllowUnauthenticatedIdentities: true
CognitoIdentityProviders:
- ClientId:
Ref: CognitoUserPoolClient
ProviderName:
Fn::GetAtt: [ CognitoUserPool, ProviderName ]
CognitoIdentityPoolRoles:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPool
Roles:
authenticated:
Fn::GetAtt: [ CognitoAuthRole, Arn ]
RoleMappings:
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:
Rules:
- Claim: custom:role
MatchType: Equals
Value: viewer
RoleARN:
Fn::GetAtt: [ CognitoAuthRole, Arn ]
- Claim: custom:role
MatchType: Equals
Value: editor
RoleARN:
Fn::GetAtt: [ CognitoAuthRole, Arn ]
Outputs:
IdentityPoolId:
Value:
Ref: CognitoIdentityPool
Error message:
Serverless Error ---------------------------------------
An error occurred: CognitoIdentityPoolRoles - Internal Failure.
Stack Trace --------------------------------------------
ServerlessError: An error occurred: CognitoIdentityPoolRoles - Internal Failure.
at provider.request.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/monitorStack.js:112:33)
From previous event:
at AwsDeploy.monitorStack (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/monitorStack.js:26:12)
at provider.request.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:95:30)
From previous event:
at AwsDeploy.update (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:95:8)
From previous event:
at AwsDeploy.BbPromise.bind.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:112:12)
From previous event:
at AwsDeploy.updateStack (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/lib/updateStack.js:106:8)
From previous event:
at AwsDeploy.BbPromise.bind.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:129:39)
From previous event:
at Object.aws:deploy:deploy:updateStack [as hook] (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:125:10)
at BbPromise.reduce (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:55)
From previous event:
at PluginManager.invoke (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:22)
at PluginManager.spawn (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:408:17)
at AwsDeploy.BbPromise.bind.then (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:95:48)
From previous event:
at Object.deploy:deploy [as hook] (/sls-1.29.2/node_modules/serverless/lib/plugins/aws/deploy/index.js:91:10)
at BbPromise.reduce (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:55)
From previous event:
at PluginManager.invoke (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:390:22)
at PluginManager.run (/sls-1.29.2/node_modules/serverless/lib/classes/PluginManager.js:421:17)
at variables.populateService.then.then (/sls-1.29.2/node_modules/serverless/lib/Serverless.js:157:33)
at runCallback (timers.js:794:20)
at tryOnImmediate (timers.js:752:5)
at processImmediate [as _immediateCallback] (timers.js:729:5)
From previous event:
at Serverless.run (/sls-1.29.2/node_modules/serverless/lib/Serverless.js:144:8)
at serverless.init.then (/sls-1.29.2/node_modules/serverless/bin/serverless:43:50)
at <anonymous>
Your Environment Information -----------------------------
OS: linux
Node Version: 8.10.0
Serverless Version: 1.29.2
2018/11/03 02:11:08 Error: exec: internal error
Dear Team,
I am experiencing similar issue, Is this problem solved? my cloudformation template looks like:
Without RoleMappings property is is working.
RavidIdentityPoolRoleAttachment:
DependsOn:
- CognitoIdentityPoolId
- CognitoIPUnAuthorizedRole
- CognitoIPAuthorizedRole
Type: ‘AWS::Cognito::IdentityPoolRoleAttachment’
Properties:
IdentityPoolId: !Ref CognitoIdentityPoolId
RoleMappings:
AmbiguousRoleResolution: AuthenticatedRole
Type: Rules
RulesConfiguration:
Rules:
- Claim: email
MatchType: Contains
RoleARN: !GetAtt CognitoClaimRoleRavid.Arn
Value: ‘testemail’
Roles:
authenticated: !GetAtt CognitoIPAuthorizedRole.Arn
unauthenticated: !GetAtt CognitoIPUnAuthorizedRole.Arn
the way it worked for me:
CognitoIdentityPoolRoles:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId:
Ref: CognitoIdentityPool
Roles:
authenticated:
Fn::GetAtt: [adminRole, Arn]
RoleMappings:
"accounts.google.com":
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:
Rules:
- Claim: "custom:email"
MatchType: "Equals"
Value: "1"
RoleARN:
Fn::GetAtt: [ superAdminRole, Arn ]