Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-cognito] CfnIdentityPool: "Invalid Cognito Identity Provider"

See original GitHub issue

I was trying to create an identity pool using the following code:

    // create userPool
    // create userPoolClient
    const identityPool = new cognito.CfnIdentityPool(this, 'CognitoServerlessDemoIdentityPool', {
      allowUnauthenticatedIdentities: true,
      cognitoIdentityProviders: [
        {
          clientId: userPoolClient.clientId,
          providerName: userPool.userPoolProviderName,
        },
      ],
    });

I got the error below.

CognitoServerlessDemoIdentityPool Invalid Cognito Identity Provider (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidParameterException; Request ID: 8c85c42d-0188-42ef-948f-5f7842c8e2a9; Proxy: null)
  new CognitoServerlessDemoStack (/src/aws/cognito-serverless-demo/cdk/lib/cognito-serverless-demo-stack.js:204:26)
  \_ Object.<anonymous> (/src/aws/cognito-serverless-demo/cdk/bin/cognito-serverless-demo.js:7:1)
  \_ Module._compile (internal/modules/cjs/loader.js:1076:30)
  \_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1097:10)
  \_ Module.load (internal/modules/cjs/loader.js:941:32)
  \_ Function.Module._load (internal/modules/cjs/loader.js:782:14)
  \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
  \_ internal/main/run_main_module.js:17:47

The generated CloudFormation is below. For some reason, the ClientId attribute was missing:

  CognitoServerlessDemoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      AllowUnauthenticatedIdentities: true
      CognitoIdentityProviders:
        - ProviderName:
            Fn::GetAtt:
              - CognitoServerlessDemoUserPool74CA82F1
              - ProviderName

Environment

CLI Version : aws-cli/1.18.155 Python/3.8.6 Linux/5.8.10-arch1-1 botocore/1.18.14
Framework Version: 1.69.0 (build 2b474b9)
Node.js Version: v14.12.0
OS : Arch Linux

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Comments:7 (1 by maintainers)

Top GitHub Comments

7reactions

Stf-Fcommented, Feb 23, 2021

@phelucko , I am a bit late to the party but I just ran into the same issue and looking at the Cloudformation docs I realised that the provider name needed to look like so:

cognito-idp.{YOUR_REGION}.amazonaws.com/us-east-2_123456789

You can therefore keep all the UserPool and UserPoolClientconstructs if you concatenate your userPoolId with cognito-idp.{YOUR_REGION}.amazonaws.com/

My code in the end:

  const userpool = new cognito.UserPool(this!, 'myuserpool', {
  // Your props
  })

   // Cloudformation spawns an error if Cognito is used as a default sender for emails
    // https://github.com/aws/aws-cdk/issues/9739
    const userPoolCfn = userpool.node.defaultChild as cognito.CfnUserPool
    userPoolCfn.emailConfiguration = {
      emailSendingAccount: 'DEVELOPER',
      sourceArn: `arn:aws:ses:${props?.env?.region}:${props?.env?.account}:identity/email@domain.com`,
    }

    const appClient = userpool.addClient('app-client', {
      authFlows: {
        userSrp: true,
      },
      preventUserExistenceErrors: true,
      supportedIdentityProviders: [
        cognito.UserPoolClientIdentityProvider.GOOGLE,
        cognito.UserPoolClientIdentityProvider.COGNITO,
      ]
    })

    const googleIdp = new cognito.UserPoolIdentityProviderGoogle(this!, 'Google', {
      clientId: 'YOUR_ID',
      clientSecret: 'YOUR_SECRET',
      userPool: userpool,
      attributeMapping: {
        email: cognito.ProviderAttribute.GOOGLE_EMAIL,
        gender: cognito.ProviderAttribute.GOOGLE_GENDER,
        profilePicture: cognito.ProviderAttribute.GOOGLE_PICTURE,
        familyName: cognito.ProviderAttribute.GOOGLE_FAMILY_NAME,
        birthdate: cognito.ProviderAttribute.GOOGLE_BIRTHDAYS,
      },
    })

// We wait for idp to be created
    if (googleIdp) {
      appClient.node.addDependency(googleIdp)
    }

    new cognito.CfnIdentityPool(this, 'MyIdentityPool', {
      allowUnauthenticatedIdentities: true,
      identityPoolName: 'CfnIdentityPool',
      cognitoIdentityProviders: [
        {
          clientId: appClient.userPoolClientId,
          providerName: `cognito-idp.eu-west-1.amazonaws.com/${userpool.userPoolId}`,
          serverSideTokenCheck: true,
        },
      ],
    })

0reactions

kcarvajalmcommented, Mar 9, 2022

@Stf-F thanks!!! Same thing using terraform.

cognito_identity_providers {

client_id               =  aws_cognito_user_pool_client.user_client.id
provider_name           =  "cognito-idp.us-east-1.amazonaws.com/${aws_cognito_user_pool.user_pool.id}"

}

Top Results From Across the Web

AWS Cognito Invalid identity pool configuration - Stack Overflow

The most common reason for this error is your roles aren't set up to trust your identity pool. You should confirm that the...

class CfnIdentityPool (construct) · AWS CDK

A CloudFormation AWS::Cognito::IdentityPool . The AWS::Cognito::IdentityPool resource creates an Amazon Cognito identity pool. To avoid deleting the resource ...

Cognito Identity Pool Example in AWS CDK - Complete Guide

In order to provision a Cognito identity pool in CDK, we have to use the CfnIdentityPool construct. The Identity Pool's purpose is to...

Configure Cognito Identity Pool in CDK | Serverless Stack

Copy + const identityPool = new cognito.CfnIdentityPool(this, "IdentityPool", { + allowUnauthenticatedIdentities: false, // Don't allow unathenticated users + ...

aws.cognito.IdentityPool - Pulumi

Provides an AWS Cognito Identity Pool. ... openidConnectProviderArns: ["arn:aws:iam::123456789012:oidc-provider/id.example.com"], });.