Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RoleMapping ProviderName or is not a configured provider.

See original GitHub issue

❓ General Issue

I am trying to add a role attachment to a cognito identity pool using groups but keep getting: “XXX is not a valid RoleMapping ProviderName or is not a configured provider.” even though the userpool and app client I am using definitely exist.

Environment

CDK CLI Version: aws-cdk@1.36.0
Module Version: @aws-cdk/aws-cognito": "^1.36.0
OS: OSX Mojave
**Language:**TypeScript

Other information

As far as I can see it is something wrong with this part :
“IdentityProvider”: “cognito-idp.eu-west-2.amazonaws.com/USER_POOL_ID:CLIENT_ID”

but the docs here state exactly this format.

Here is my cloud formation template output that CDK is creating any help on this would be greatly appreciated!

"XXXXroleattachment": { "Type": "AWS::Cognito::IdentityPoolRoleAttachment", "Properties": { "IdentityPoolId": "eu-west-2:XXXXXXXXXXXXXXXX", "RoleMappings": { roleMapping: { "AmbiguousRoleResolution": "Deny", "IdentityProvider": "cognito-idp.eu-west-2.amazonaws.com/eu-west2_XXXXXXX:XXXXXXXXXXXXX", "RulesConfiguration": { "Rules": [ { "Claim": "cognito:groups", "MatchType": "Contains", "RoleARN": "arn:aws:iam::XXXXXXX:role/XXXXXXXX", "Value": "XXXXXX" } ] }, "Type": "Rules" } }, "Roles": { "unauthenticated": "arn:aws:iam::XXXXXXXXX:role/XXXXXXXXXXXXX", "authenticated": "arn:aws:iam::XXXXXXXXX:role/XXXXXXXXXXXXX" } }, "Metadata": { "aws:cdk:path": Stack/role-attachment" } }

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:7 (2 by maintainers)

Top GitHub Comments

8reactions

leantorres73commented, Aug 12, 2020

For the record, I faced this same issue but I was able to make it work, version 1.57.0

const roleMapping : cognito.CfnIdentityPoolRoleAttachment.RoleMappingProperty = {
    type: 'Token',
    ambiguousRoleResolution: 'Deny',
    identityProvider: `cognito-idp.${Stack.of(this).region}.amazonaws.com/${pool.userPoolId}:${client.userPoolClientId}`
};

0reactions

FrankyCTYcommented, Dec 12, 2021

For the identityProvider, just use the combination of userPoolProviderName and userPoolClientId is fine, no need to be fancy 😃

BTW, I like how the doc doesn’t mention these, or just my IQ under 90

const roleMapping : cognito.CfnIdentityPoolRoleAttachment.RoleMappingProperty = {
    type: 'Token',
    ambiguousRoleResolution: 'AuthenticatedRole', // AuthenticatedRole or Deny
    identityProvider: `${userPool.userPoolProviderName}:${userPoolClient.userPoolClientId}`
};