Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[cognito] Unable to create user pool with MFA required

See original GitHub issue

(See reproduction steps for code example)

Ideally, I would like to enable MFA required with OTP only (not SMS)

When mfaSecondFactor.sms is set to false, the stack is able to be synthesized, but CloudFormation gives this error:

SMS configuration and Auto verification for phone_number are required when MFA is required/optional (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: d5cbb83e-b38a-4f57-9993-65ff923ac325; Proxy: null)

When mfaSecondFactor.sms is set to `true, the stack is not able to be synthesized with the following error:

TypeError: Cannot read property 'uniqueId' of undefined
    at UserPool.smsConfiguration (/Users/barrett/Projects/github.com/tributumtax/monorepo/.yarn/$$virtual/@aws-cdk-aws-cognito-virtual-cef0628d0c/0/cache/@aws-cdk-aws-cognito-npm-1.73.0-8a062b6262-b3bdc35f1d.zip/node_modules/@aws-cdk/aws-cognito/lib/user-pool.ts:884:37)
    at new UserPool (/Users/barrett/Projects/github.com/tributumtax/monorepo/.yarn/$$virtual/@aws-cdk-aws-cognito-virtual-cef0628d0c/0/cache/@aws-cdk-aws-cognito-npm-1.73.0-8a062b6262-b3bdc35f1d.zip/node_modules/@aws-cdk/aws-cognito/lib/user-pool.ts:740:30)
    at new AuthStack (/Users/barrett/Projects/github.com/tributumtax/monorepo/packages/aws/lib/auth-stack.ts:23:22)
    at Object.<anonymous> (/Users/barrett/Projects/github.com/tributumtax/monorepo/packages/aws/bin/aws.ts:45:19)
    at Module._compile (internal/modules/cjs/loader.js:1176:30)
    at Module.m._compile (/Users/barrett/Projects/github.com/tributumtax/monorepo/.yarn/unplugged/ts-node-virtual-9b8834e7f3/node_modules/ts-node/src/index.ts:858:23)
    at Module._extensions..js (internal/modules/cjs/loader.js:1196:10)
    at Object.require.extensions.<computed> [as .ts] (/Users/barrett/Projects/github.com/tributumtax/monorepo/.yarn/unplugged/ts-node-virtual-9b8834e7f3/node_modules/ts-node/src/index.ts:861:12)
    at Module.load (internal/modules/cjs/loader.js:1040:32)
    at Function.external_module_.Module._load (/Users/barrett/Projects/github.com/tributumtax/monorepo/.pnp.js:26436:14)
Subprocess exited with error 1

Reproduction Steps

import { App, Stack, StackProps } from '@aws-cdk/core';
import * as cognito from '@aws-cdk/aws-cognito';

export class AuthStack extends Stack {
  constructor(scope: App, id: string, props: StackProps) {
    super(scope, id, props);

    const userPool = new cognito.UserPool(this, 'UserPool', {
      selfSignUpEnabled: true,
      signInAliases: {
        email: true,
      },
      autoVerify: {
        email: true,
      },
      mfa: cognito.Mfa.REQUIRED,
      mfaSecondFactor: {
        sms: true,
        otp: true,
      },
      passwordPolicy: {
        minLength: 16,
        requireLowercase: true,
        requireUppercase: true,
        requireDigits: true,
        requireSymbols: true,
      },
      accountRecovery: cognito.AccountRecovery.EMAIL_ONLY,
    });
  }
}

What did you expect to happen?

I should be able to deploy the stack

What actually happened?

The synth fails if sms is true and CloudFormation fails if it is set to false.

Environment

CDK CLI Version : 1.62.0
Framework Version: 1.62.0
Node.js Version: 14.2.0
OS : OS X Catalina
Language (Version): TypeScript (4.0.20

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:13
Comments:17 (4 by maintainers)

Top GitHub Comments

5reactions

velovixcommented, Dec 28, 2020

I believe this is also an issue with CloudFormation. I see this problem when using Serverless with CloudFormation templates.

1reaction

wmarcusecommented, Aug 13, 2021

The SMS configuration correlates to the auto verification service Cognito provides, if this verification method is set on phone_number then SMS configuration is required.

Default: - If signInAlias includes email and/or phone, they will be included in autoVerifiedAttributes by default. If absent, no attributes will be auto-verified.

So make sure you don’t have auto verify enabled for phone number and MFA required with only otp enabled should work.