turn off automatic Cognito UserPool SMS role creation
See original GitHub issue❓ General Issue
The Question
Hey there,
Working on Cognito module, I noticed that when you create a UserPool, a role for the SMS service (policy: sns:Publish) is created by default even when you don’t specify it. This behavior is not present in the console nor CloudFormation template. Creating this role is a problem in our environment as we don’t use it. Could you make it optional ?
Thanking you in advance
Environment
- CDK CLI Version: 1.30.0
- Module Version: Cognito@1.30.0
- OS: all
- Language: Typescript
Other information
Cfn stack example :
{
"AWSTemplateFormatVersion":"2010-09-09",
"Resources":{
"UserPooldev01E6BF40":{
"Type":"AWS::Cognito::UserPool",
"Properties":{
"AdminCreateUserConfig":{
"AllowAdminCreateUserOnly":false
},
"AutoVerifiedAttributes":[
"email"
],
"EmailVerificationMessage":"Your verification code is {####}",
"EmailVerificationSubject":"Your verification code",
"Policies":{
"PasswordPolicy":{
"MinimumLength":8,
"RequireLowercase":false,
"RequireNumbers":false,
"RequireSymbols":false,
"RequireUppercase":false,
"TemporaryPasswordValidityDays":7
}
},
"Schema":[
{
"Name":"email",
"Required":true
},
{
"Name":"name",
"Required":true
},
{
"AttributeDataType":"String",
"Name":"organization",
"StringAttributeConstraints":{
"MaxLength":"256",
"MinLength":"1"
}
}
],
"UsernameAttributes":[
"email"
],
"UserPoolName":"UserPool-dev",
"VerificationMessageTemplate":{
"DefaultEmailOption":"CONFIRM_WITH_CODE",
"EmailMessage":"Your verification code is {####}",
"EmailSubject":"Your verification code",
"SmsMessage":"The verification code to your new account is {####}"
}
}
}
}
}
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:16 (5 by maintainers)
Top Results From Across the Web
Cognito::UserPool SmsConfiguration - AWS CloudFormation
The Cognito User Pool makes the request to the Amazon SNS Service by using an IAM role that you provide for your AWS...
Read more >Error: MFA cannot be turned off if an SMS role is configured ...
Go to IAM and make sure you didn't accidently created an SMS role. Under the step : You must provide a role to...
Read more >Configuring email or phone verification - Amazon Cognito
To configure your Amazon Cognito user pool for SMS messages, see SMS message ... Amazon Cognito can automatically verify email addresses or phone...
Read more >create-user-pool — AWS CLI 2.9.7 Command Reference
Creates a new Amazon Cognito user pool and sets the password policy for the pool. Note. This action might generate an SMS text...
Read more >@aws-cdk/aws-cognito - NPM Package Overview - Socket
User pools allow creating and managing your own directory of users that can sign up and sign in. They enable easy integration with...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Any news on that ?
I have verified through both the console and CloudFormation that Cognito does not require an SMS role in order to create a user pool, as long as Phone verification or SMS MFA are not enabled. When using the CDK’s CfnUserPool construct, the same results can be achieved.
The CloudFormation template I used to test this is the one provided in the original issue report above. If needed, I can provide some screenshots / logs as proof.
Digging into the code, it seems the SMS role is always included in the CloudFormation template simply because it doesn’t check whether one is actually needed. https://github.com/aws/aws-cdk/blob/40fa93a22ffbdf18b0563d1cef63bbf5814dcc3f/packages/%40aws-cdk/aws-cognito/lib/user-pool.ts#L766-L801
If there is a role, it is used in the returned configuration. If there is no role, a new one is created regardless of the other userpool parameters. The comment about the necessity of the
sns:Publish
action seems to only relate to Cognito needing the policy to be provided inline with the role as opposed to attached through a named policy.It seems this issue may be fixed by simply adding a conditional, something along the lines of
Any thoughts?