44

I have created one user pool & identity pool.

I have used javascript sdk.

I am able to signup, send confirmation code & confirm user successfully with javascript sdk.

But when i try to sign in user with authenticate method & try to get credentials with "CognitoIdentityCredentials" by passing idToken with below code

logins[cognitoEndpoint + "/" + userPoolId] = jwtToken;

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
      IdentityPoolId: identityPoolId,
      Logins: logins
    });

it's giving me below error

Error: Invalid identity pool configuration. Check assigned IAM roles for this pool.
    at Request.extractError (aws-sdk.js:104063)
    at Request.callListeners (aws-sdk.js:106060)
    at Request.emit (aws-sdk.js:106034)
    at Request.emit (aws-sdk.js:105121)
    at Request.transition (aws-sdk.js:104843)
    at AcceptorStateMachine.runTo (aws-sdk.js:108480)
    at aws-sdk.js:108492
    at Request.<anonymous> (aws-sdk.js:104859)
    at Request.<anonymous> (aws-sdk.js:105123)
    at Request.callListeners (aws-sdk.js:106070)

I have given administrator access to "Unauthenticated role" & "Unauthenticated role" of identity pool and to user whose credentials i am using.

I am new to aws. Can anyone tell me what am i missing?

Any help would be appreciated.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Ankur Akvaliya
  • 2,989
  • 4
  • 28
  • 53

6 Answers6

115

Check that the role you have assigned in Cognito Identity Pools (Federated Identities), has a trust relationship with the identity pool.

Get the identity pool ID + the name of the role that isn't working. To do this:

  • Go to Cognito
  • Select Manage Federated Identities
  • Select the identity pool
  • Click Edit identity pool (top right)
  • Make a note of the identity pool ID
  • Make a note of the name of the role that isn't working (e.g. Cognito_blahUnauth_Role

In IAM, check the trust relationship for the role. Ensure that the StringEquals condition value matches the identity pool ID.

To do this:

  • Go to IAM
  • Click Roles
  • Click the name of the role that you noted previously
  • Click Trust relationships
  • On the right under Conditions, check the StringEquals condition contains the identity pool Id that you noted previously.

Edit the trust relationship to fix.

Alex Hague
  • 1,756
  • 1
  • 13
  • 20
  • 3
    this, thanks. I had forgotten to add this when setting up my cloud formation script – nbpeth Oct 11 '17 at 16:18
  • 1
    That solved my problem. I had put identity pool name instead of pool id. Thank you. – Víctor Hugo Sep 17 '18 at 11:51
  • 4
    I would give you 100+ for this answer if I could. Setup of Users, Groups, Roles, Policies through Cognito and IAM is far from straightforward. Have spent three days on this issue! – matcheek May 04 '19 at 18:06
  • 4
    I could kiss you, @AlexHague. In my case I had reused an IAM role for another identity pool, and had forgotten about this step. My IAM role only had a trust relationship with the old identity pool. I wish this would answer would have come up in my first Google search instead of four days later. – davidgyoung Dec 09 '19 at 18:55
  • 2
    This helped !! Thanks. – Praneet Nadkar Mar 18 '20 at 06:00
  • 1
    Can't thank you enough! I changed the region so the identity pool as correct but not the region and this answer helped me find the error, thanks again! – NorahKSakal Apr 19 '20 at 02:58
  • 1
    Thanks! This comment helped me with a little error I had :) – Andrés Montoya Jun 27 '21 at 23:52
  • Dude, I'll buy you a beer... Where did you get this workaround or where can I find more information about this? I've spent 8 hours on this, I'm about to crying – José Pulido Nov 17 '21 at 05:16
  • 1
    Thank you so much. I had gotten this erorr because I had deleted and recreated id pool, but reused the roles, which were pointing to the old identity pool id that i had deleted – Jay Hu Mar 10 '22 at 08:24
  • 1
    Also, remember to include `sts:TagSession` in the IAM role’s trust policy when using "Attributes for access control" (Principal Tags). I had the same error message as in this thread, valid Trust policy according to this Answer, but missing `sts:TagSession` in the Trust Policy. CloudTrail was reporting "Unknown error" in my case, so it was tough to resolve, even Cognito Identity Pool "Edit" screen has a "Note" for that. Hope that helps someone. – Igor Lamos Jul 14 '22 at 21:21
3

What you're trying to access here are "Cognito Federated Identity" credentials, which is a separate AWS product to "Cognito User Pools". In-order to retrieve these credentials, you need to connect your User Pool to your Federated Identity Pool.

Perhaps this link will help: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

Also, I would remove admin access from Unauthenticated permissions, it means anyone with your details has control of your AWS account.

David Kelley
  • 193
  • 1
  • 10
1

When you create role in IAM and choose identity provider, make sure you don't choose user pool id, instead, you have to choose identity pool id.

xwa130
  • 579
  • 4
  • 6
1

If you are using OpenID, disable attributes for access control and error will be gone

Image

Ruli
  • 2,592
  • 12
  • 30
  • 40
Satit
  • 11
  • 2
1

I had this issue when I manually added additional roles in Cognito to the already existing. (previously created with amplify CLI)

TLDR: Don't manually create groups and roles if you're going to be using them for Amplify.

My accounts which had this error included the following attributes in that JWT. (you can go to jwt.io and see your attributes)

"cognito:roles": [
    "arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*"
  ],
"cognito:preferred_role": "arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*",

Then I found these roles and I tried to verify if they have correct conditions attached to them:

"Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-west-2:<COGNITO_IDENTITY_POOL_ID>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } }

After a few hours of verifing the roles, configuring them it started finally working.

Lessons learned: It's possible to fix them manually too.

Then I manually deleted the groups in Cognito I've created along with the roles associated with them and then recreated it via the Amplify CLI from scratch. It worked like a charm. Apart from that in this way Amplify will maintains them, when I change configs etc.

jjanczur
  • 117
  • 1
  • 9
0

I had this error working with amplify. I noticed that the error appeared after I created Cognito User Roles from amplify cli. What I did was, delete these roles from CLI and create again from AWS Console and it worked fine!

matthias_h
  • 11,356
  • 9
  • 22
  • 40
Angel Angeles
  • 91
  • 1
  • 3