Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@aws-cdk/aws-appsync: Cannot attach @cognito Directives with no groups specified

See original GitHub issue

When attaching a Directive to the GraphQL Schema using the code-first approach the Directive.cognito() requires one to attach at least one group:

Cognito authorization requires at least one Cognito group to be supplied. Received: 0

But this should not be the case. @aws_cognito_user_pools directive does not require a group. If no group is specified it means allow all users authorized through cognito.

Reproduction Steps

    import {
    } from "@aws-cdk/aws-appsync";

    api.graphqlAPI.addMutation('setStatus', new ResolvableField({
        args: StatusInput.definition,
        returnType: StatusType.attribute(),
        dataSource: setStatusDataSource,
        directives: [

What did you expect to happen?

That the schema attaches the @aws_cognito_user_pools directive directive.

What actually happened?

The cdk deploy returned the error:

Cognito authorization requires at least one Cognito group to be supplied. Received: 0


  • CDK CLI Version : 1.89.0
  • Framework Version: : 1.89.0
  • Node.js Version: v12.16.1
  • OS : Windows 10
  • Language (Version):


This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

pfriedcommented, Feb 24, 2021

For everyone struggling with this, adding a custom directive like

directives: [Directive.iam(), Directive.custom('@aws_cognito_user_pools')],

will attach the correct directive statement anyways.

@MrArnoldPalmer I tried to fix this in the code. But it is somehow a mess caused by this whole @aws_auth against @aws_cognito_user_pools when multiple are present mess. A quick fix would be to remove the error beeing thrown when 0 groups are passed, but this error is valid and needs to be checked in case it is the only directive when using @aws_auth. Also the whole string replacement is ugly. The statement can only be created in the toString() method as only there is enough information to build the correct statement.

IMHO The statements should be created by a more sophisticated function like createStatement(modes) and Authorization Directives and Subscription Directives should be put in their own Subclass which does not need to be public.

Any thoughts on that?

MrArnoldPalmercommented, Feb 24, 2021

@pfried I think I’m with you on this. We need a much smarter and sophisticated system for managing directive statements instead of this basic string interpolation. Separating authorization and subscription directives also makes sense with some common BaseDirective ancestor or something.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Authorization and authentication - AWS AppSync
This section describes options for configuring security and data protection for your applications. Authorization types.
Read more >
AppSync Cognito directives - Advanced Web Machinery
AppSync provides a way to embed access control in the GraphQL schema with a few directives that specify what groups can access a...
Read more >
CognitoIdentityProvider — Boto3 Docs 1.26.36 documentation
When the external user signs in again, and the user is no longer attached to the previously linked DestinationUser , the user must...
Read more >
Cognito User Pool Groups not working with different roles
Choose Amazon Cognito; Paste in your Identity pool id (the federated one); Click next; Now add/create policies you need for the user group,...
Read more >
Use an existing Cognito User Pool and Identity Pool
automatically populate your Amplify Library configuration files (aws-exports. · provide your designated existing Cognito resource as the authentication & ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found