Added Sign in with apple, Having error HostedUIProvidersCustomResourceInputs (Custom::LambdaCallout) while Amplify Push

[HappyMakadiyaS]

Before opening, please confirm:

• [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• [X] I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

curl

If applicable, what version of Node.js are you using?

v19.1.0

Amplify CLI Version

10.5.1

What operating system are you using?

Mac Ventura 13.0.1

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Amplify Categories

auth

Amplify Commands

push

Describe the bug

1. Updating auth via amplify update auth Followed the steps mentioned in the reproduction steps.

2. Applying change to cloud via amplify push Facing Error over here:

   

Cloud watch logs:

INFO    InternalErrorException: Internal server error.
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

{
    "Status": "FAILED",
    "Reason": "See the details in CloudWatch Log Stream: ******",
    "PhysicalResourceId": "2022/12/02/[$LATEST]*****",
    "StackId": "****",
    "RequestId": "7550d102-29fc-4377-b31d-d5759f845fbd",
    "LogicalResourceId": "HostedUIProvidersCustomResourceInputs",
    "NoEcho": false,
    "Data": {
        "err": {
            "message": "Internal server error.",
            "code": "InternalErrorException",
            "time": "2022-12-02T10:12:13.234Z",
            "requestId": "dbc******",
            "statusCode": 500,
            "retryable": true
        }
    }
}

Expected behavior

I want to configure Sign in with Apple - OAuth social providers using amplify cli.

Reproduction steps

1. Updating auth via amplify update auth
   • What do you want to do? Update OAuth social providers
   • Select the identity providers you want to configure for your user pool: Google, Sign in with Apple
   • Enter your Google Web Client ID for your OAuth flow: ****
   • Enter your Google Web Client Secret for your OAuth flow: ***
   • Enter your Services ID for your OAuth flow: com.myapp.myapp.sid
   • Enter your Team ID for your OAuth flow: ****
   • Enter your Key ID for your OAuth flow: ****
   • Enter your Private Key for your OAuth flow: *****

Note: For the Private key I am entering key from .p8 file by removing -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----, \n, space at the end of line and pasting main private key in single line. (As mentioned here)

2. Applying change to cloud via amplify push Produced error mentioned above

GraphQL schema(s)

```graphql # Put schemas below this line ```

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

No response

[josefaidt]

Hey @HappyMakadiyaS :wave: thanks for raising this! This seems similar to https://github.com/aws-amplify/amplify-cli/issues/11495, and as a workaround can you try running back through amplify update auth to re-input your social providers' credentials?

Additionally, without posting the contents, can you verify ~/.aws/amplify/deployment-secrets.json contains the proper social provider config for this Amplify project?

[josefaidt]

potential duplicate of #9183, can you see if this comment helps resolve your issue? https://github.com/aws-amplify/amplify-cli/issues/9183#issuecomment-1297651792

note the error is different from "Internal Server Error" when the private key for SIWA is invalid https://github.com/aws-amplify/amplify-cli/issues/9478#issuecomment-1009285200

[HappyMakadiyaS]

@josefaidt, I have done amplify update auth multiple times with the same credentials and tried to push. And it stores proper config in ~/.aws/amplify/deployment-secrets.json.

I am facing an Internal server error as I have said.

{
    "Status": "FAILED",
    "Reason": "See the details in CloudWatch Log Stream: ******",
    "PhysicalResourceId": "2022/12/02/[$LATEST]*****",
    "StackId": "****",
    "RequestId": "755******",
    "LogicalResourceId": "HostedUIProvidersCustomResourceInputs",
    "NoEcho": false,
    "Data": {
        "err": {
            "message": "Internal server error.",
            "code": "InternalErrorException",
            "time": "2022-12-02T10:12:13.234Z",
            "requestId": "dbc******",
            "statusCode": 500,
            "retryable": true
        }
    }
}

[YuantongL]

Got the same issue here. Revert to previous CLI version don't solve the issue.

[HappyMakadiyaS]

I have configured Sign in with apple via the Cognito user pool console and configured it successfully. Then I checked in amplify studio and Sign in with apple is not there. amplify pull is also not fetching the config.

Another thing: If I try to add Sign in with apple via Amplify Studio, then it throws the same error HostedUIProvidersCustomResourceInputs (Custom::LambdaCallout) and logs which I have mentioned above.

If I'll link the already created user pool to the new amplify app then all goods well. So I think the problem occurs when Auth is added via CLI using amplify add auth.

[josefaidt]

Hey @HappyMakadiyaS would you mind sending us the project ID output from amplify diagnose --send-report? May you also post the contents of your auth resource's cli-inputs.json?

[YuantongL]

Hey @HappyMakadiyaS would you mind sending us the project ID output from amplify diagnose --send-report? May you also post the contents of your auth resource's cli-inputs.json?

Mine if that helps 325445a2b82c24b5ad93ee4df1c519e9

cli-inputs.json

``` { "version": "1", "cognitoConfig": { "identityPoolName": "testAuthIdentityPool", "allowUnauthenticatedIdentities": true, "resourceNameTruncated": "locati018ce4de", "userPoolName": "TapApp", "autoVerifiedAttributes": [ "email" ], "mfaConfiguration": "OFF", "mfaTypes": [ "SMS Text Message" ], "smsAuthenticationMessage": "Your authentication code is {####}", "smsVerificationMessage": "Your verification code is {####}", "emailVerificationSubject": "Your Tap email verification code", "emailVerificationMessage": "

Welcome to tap!

where we talk about places

 

Your email verification code is {####}.

Don't share this code with anyone else, but share amazing chatrooms you found on tap!

", "defaultPasswordPolicy": false, "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [], "requiredAttributes": [ "email" ], "aliasAttributes": [], "userpoolClientGenerateSecret": false, "userpoolClientRefreshTokenValidity": 30, "userpoolClientWriteAttributes": [ "email" ], "userpoolClientReadAttributes": [ "email", "family_name", "gender", "locale", "given_name", "email_verified" ], "userpoolClientLambdaRole": "Locati018ce4de_userpoolclient_lambda_role", "userpoolClientSetAttributes": true, "authSelections": "identityPoolAndUserPool", "resourceName": "TapApp", "serviceName": "Cognito", "useDefault": "manual", "sharedId": "018ce4de", "userPoolGroupList": [ "everyone" ], "userPoolGroups": true, "usernameAttributes": [ "email" ], "usernameCaseSensitive": false, "adminQueries": false, "hostedUI": true, "authRoleArn": { "Fn::GetAtt": [ "AuthRole", "Arn" ] }, "unauthRoleArn": { "Fn::GetAtt": [ "UnauthRole", "Arn" ] }, "breakCircularDependency": false, "useEnabledMfas": false, "dependsOn": [ { "category": "function", "resourceName": "TapAppPostConfirmation", "triggerProvider": "Cognito", "attributes": [ "Arn", "Name" ] } ], "triggers": { "PostConfirmation": [ "add-to-group" ] }, "parentStack": { "Ref": "AWS::StackId" }, "authTriggerConnections": [ "{\"triggerType\":\"PostConfirmation\",\"lambdaFunctionName\":\"TapAppPostConfirmation\"}" ], "permissions": [ "{\n \"policyName\": \"AddToGroupCognito\",\n \"trigger\": \"PostConfirmation\",\n \"effect\": \"Allow\",\n \"actions\": [\n \"cognito-idp:AdminAddUserToGroup\",\n \"cognito-idp:GetGroup\",\n \"cognito-idp:CreateGroup\"\n ],\n \"resource\": {\n \"paramType\": \"!GetAtt\",\n \"keys\": [\n \"UserPool\",\n \"Arn\"\n ]\n }\n}" ], "hostedUIDomainName": "tapapp3ff22423-3ff22423", "authProvidersUserPool": [ "SignInWithApple" ], "hostedUIProviderMeta": "[{\"ProviderName\":\"SignInWithApple\",\"authorize_scopes\":\"email\",\"AttributeMapping\":{\"email\":\"email\"}}]", "authProviders": [ "appleid.apple.com" ], "signinwithappleAuthorizeScopes": [ "email" ], "oAuthSecretsPathAmplifyAppId": "d2qkbb2n3c556e", "thirdPartyAuth": true, "oAuthMetadata": "{\"AllowedOAuthFlows\":[\"code\"],\"AllowedOAuthScopes\":[\"phone\",\"email\",\"openid\",\"profile\",\"aws.cognito.signin.user.admin\"],\"CallbackURLs\":[\"com.TapApp://\"],\"LogoutURLs\":[\"com.TapApp://\"]}" } } ```

My error on the cli

Deployment failed.
Deploying root stack TapApp [ ====------------------------------------ ] 2/20
    amplify-tapapp-develop-195658  AWS::CloudFormation::Stack     UPDATE_ROLLBACK_COMPLETE       Wed Dec 07 2022 22:29:17…     
    functionTapAppPostConfirmation AWS::CloudFormation::Stack     UPDATE_COMPLETE                Wed Dec 07 2022 22:21:42…     
    authTapApp                     AWS::CloudFormation::Stack     UPDATE_FAILED                  Wed Dec 07 2022 22:21:28…     
Deploying auth TapApp [ ---------------------------------------- ] 0/25
    HostedUIProvidersCustomResour… Custom::LambdaCallout          UPDATE_FAILED                  Wed Dec 07 2022 22:21:20…     
    HostedUICustomResourceInputs   Custom::LambdaCallout          UPDATE_FAILED                  Wed Dec 07 2022 22:21:20…     
Deploying auth userPoolGroups [ ---------------------------------------- ] 0/6

🛑 The following resources failed to deploy:
Resource Name: HostedUIProvidersCustomResourceInputs (Custom::LambdaCallout)
Event Type: update
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2022/12/08/[$LATEST]6412bed6939a4dd6926dd0eb5aa58beb (RequestId: 3cd61139-324b-4825-9159-6a4d3c92c271)
URL: https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/arn%3Aaws%3Acloudformation%3Aus-east-1%3A969017758831%3Astack%2Famplify-tapapp-develop-195658-authTapApp-1VSLUWFWZA0B8%2F0d8818c0-8ec4-11ec-97a1-0a1b8104e20f/events

🛑 Resource is not in the state stackUpdateComplete

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

Session Identifier: 9b02aa8d-181a-44e6-9fb8-9b5e0df4026c

[HappyMakadiyaS]

amplify diagnose --send-report

Hey @josefaidt, Created new auth via amplify add auth to reproduce the issue.

I have personally shared the report with you. you might have received the invitation link. https://drive.google.com/file/d/19GXfYaPSi2d6eFoybtMD9BwwKzabwduS/view?usp=sharing

[josefaidt]

Hey folks thanks for posting that information it was certainly helpful, although I am unable to reproduce this issue. I've marked this as "investigating" and "pending-review" as I am taking a deeper look. In the meantime are you seeing any additional logs from the Lamdbda callout's output? The stack trace is helpful, however there are a few Cognito requests in this Lambda callout.

copy of custom Lambda

```js const response = require('cfn-response'); const aws = require('aws-sdk'); const identity = new aws.CognitoIdentityServiceProvider(); exports.handler = (event, context, callback) => { try { const userPoolId = event.ResourceProperties.userPoolId; let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta); let hostedUIProviderCreds = JSON.parse(event.ResourceProperties.hostedUIProviderCreds); if (hostedUIProviderCreds.length === 0) { response.send(event, context, response.SUCCESS, {}); } if (event.RequestType == 'Delete') { response.send(event, context, response.SUCCESS, {}); } if (event.RequestType == 'Update' || event.RequestType == 'Create') { let getRequestParams = providerName => { let providerMetaIndex = hostedUIProviderMeta.findIndex(provider => provider.ProviderName === providerName); let providerMeta = hostedUIProviderMeta[providerMetaIndex]; let providerCredsIndex = hostedUIProviderCreds.findIndex(provider => provider.ProviderName === providerName); let providerCreds = hostedUIProviderCreds[providerCredsIndex]; let requestParams = { ProviderName: providerMeta.ProviderName, UserPoolId: userPoolId, AttributeMapping: providerMeta.AttributeMapping, }; if (providerMeta.ProviderName === 'SignInWithApple') { if (providerCreds.client_id && providerCreds.team_id && providerCreds.key_id && providerCreds.private_key) { requestParams.ProviderDetails = { client_id: providerCreds.client_id, team_id: providerCreds.team_id, key_id: providerCreds.key_id, private_key: providerCreds.private_key, authorize_scopes: providerMeta.authorize_scopes, }; } else { requestParams = null; } } else { if (providerCreds.client_id && providerCreds.client_secret) { requestParams.ProviderDetails = { client_id: providerCreds.client_id, client_secret: providerCreds.client_secret, authorize_scopes: providerMeta.authorize_scopes, }; } else { requestParams = null; } } return requestParams; }; let createIdentityProvider = providerName => { let requestParams = getRequestParams(providerName); if (!requestParams) { return Promise.resolve(); } requestParams.ProviderType = requestParams.ProviderName; return identity.createIdentityProvider(requestParams).promise(); }; let updateIdentityProvider = providerName => { let requestParams = getRequestParams(providerName); if (!requestParams) { return Promise.resolve(); } return identity.updateIdentityProvider(requestParams).promise(); }; let deleteIdentityProvider = providerName => { let params = { ProviderName: providerName, UserPoolId: userPoolId }; return identity.deleteIdentityProvider(params).promise(); }; let providerPromises = []; identity .listIdentityProviders({ UserPoolId: userPoolId, MaxResults: 60 }) .promise() .then(result => { console.log(result); let providerList = result.Providers.map(provider => provider.ProviderName); let providerListInParameters = hostedUIProviderMeta.map(provider => provider.ProviderName); hostedUIProviderMeta.forEach(providerMetadata => { if (providerList.indexOf(providerMetadata.ProviderName) > -1) { providerPromises.push(updateIdentityProvider(providerMetadata.ProviderName)); } else { providerPromises.push(createIdentityProvider(providerMetadata.ProviderName)); } }); providerList.forEach(provider => { if (providerListInParameters.indexOf(provider) < 0) { providerPromises.push(deleteIdentityProvider(provider)); } }); return Promise.all(providerPromises); }) .then(() => { response.send(event, context, response.SUCCESS, {}); }) .catch(err => { console.log(err.stack); response.send(event, context, response.FAILED, { err }); }); } } catch (err) { console.log(err.stack); response.send(event, context, response.FAILED, { err }); } }; ```

Thus far I have attempted to add SIWA on the initial creation, after update of a default social resource, update of a default social resource with one social provider, among several attempted updates of an existing resource after miscellaneous updates to no avail.

[josefaidt]

possible duplicate of https://github.com/aws-amplify/amplify-cli/issues/10952

[YuantongL]

@josefaidt I'm able to resolve my issue, when I go to my /aws/lambda/amplify-tapapp-develop-19-HostedUIProvidersCustomR-szswNLPP2izF in CloudWatch I found an error log

2022-12-11T02:11:46.293Z    ccb0cf7b-740a-4c2c-9c3c-3469b062af02    INFO    Response body:
 {"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2022/12/11/[$LATEST]7a220c662d4342b0941210d9752ade00","PhysicalResourceId":"2022/12/11/[$LATEST]7a220c662d4342b0941210d9752ade00","StackId":"arn:aws:cloudformation:us-east-1:969017758831:stack/amplify-tapapp-develop-195658-authTapApp-1VSLUWFWZA0B8/0d8818c0-8ec4-11ec-97a1-0a1b8104e20f","RequestId":"2cf3c680-65bf-45a1-9388-f7e9f4b31a9d","LogicalResourceId":"HostedUIProvidersCustomResourceInputs","NoEcho":false,"Data":{"err":{"message":"Provided private key cannot be used for Sign in with Apple.","code":"InvalidParameterException","time":"2022-12-11T02:11:46.286Z","requestId":"d15417b8-5b52-41d1-9f5f-d81127428f58","statusCode":400,"retryable":false,"retryDelay":20.170657897838073}}}

After passing the correct formated .p8 value (the entire thing as 1 line string) to the cli, the push succeeded.

I'm not sure this is the same issue to this original issue though. Also it'd be nice to display this nested error in cli too, it will be super helpful for self diagnosing.

[josefaidt]

Hey @YuantongL glad to hear you were able to resolve your issue, and yes I agree that this error should be surfaced faster during the CLI workflow. Please subscribe and react to this feature request to add input validation https://github.com/aws-amplify/amplify-cli/issues/8097

[ykethan]

was able to consistently reproduce this issue using Amplify studio with the following steps

1. select authentication
2. remove email and add phone number as login mechanism
3. add social signin with apple
4. add credentials (i pasted the key in with the -----BEGIN PRIVATE KEY-----) and deploy

[josefaidt]

Marking this as a bug given the Studio reproduction. For what it's worth I am unable to reproduce using the same Phone number requirement and SIWA with the CLI

➜  ay update auth
Please note that certain attributes may not be overwritten if you choose to use defaults settings.
Using service: Cognito, provided by: awscloudformation
 What do you want to do? Apply default configuration with Social Provider (Federat
ion)
 What domain name prefix do you want to use? 115262f032cea-2f032cea
 Enter your redirect signin URI: http://localhost:3000/
? Do you want to add another redirect signin URI No
 Enter your redirect signout URI: http://localhost:3000/
? Do you want to add another redirect signout URI No
 Select the identity providers you want to configure for your user pool: Sign in w
ith Apple

 You've opted to allow users to authenticate via Sign in with Apple. If you haven'
t already, you'll need to go to https://developer.apple.com/account/#/welcome and 
configure Sign in with Apple. 

 Enter your Services ID for your OAuth flow:  fake
 Enter your Team ID for your OAuth flow:  fake
 Enter your Key ID for your OAuth flow: fake
 Enter your Private Key for your OAuth flow: <valid-private-key>

[ykethan]

Note: further testing on CLI.

using add auth headless with -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY----- causes the hosted provider function to fail.

ran: cat authadd.json | jq -c | amplify add auth --headless

with content

{
  "version": 2,
  "resourceName": "test",
  "serviceConfiguration": {
    "serviceName": "Cognito",
    "includeIdentityPool": true,
    "identityPoolConfiguration": {
      "identityPoolName": "testAuthIdentityPool",
      "unauthenticatedLogin": false
    },
    "userPoolConfiguration": {
      "userPoolName": "test",
      "signinMethod": "PHONE_NUMBER",
      "requiredSignupAttributes": [],
      "userPoolGroups": [],
      "mfa": {
        "mode": "OFF"
      },
      "passwordPolicy": {
        "minimumLength": 8,
        "additionalConstraints": [
          "REQUIRE_LOWERCASE",
          "REQUIRE_DIGIT",
          "REQUIRE_SYMBOL",
          "REQUIRE_UPPERCASE"
        ]
      },
      "autoVerifiedAttributes": [
        {
          "type": "EMAIL",
          "verificationSubject": "Verification code: {####}",
          "verificationMessage": "Verification code: {####}"
        }
      ],
      "oAuth": {
        "domainPrefix": "domain",
        "redirectSigninURIs": ["https://localhost:3000/"],
        "redirectSignoutURIs": ["https://localhost:3000/"],
        "oAuthGrantType": "CODE",
        "oAuthScopes": [
          "PHONE",
          "EMAIL",
          "OPENID",
          "PROFILE",
          "AWS.COGNITO.SIGNIN.USER.ADMIN"
        ],
        "socialProviderConfigurations": [
          {
            "provider": "SIGN_IN_WITH_APPLE",
            "clientId": "id",
            "teamId": "id",
            "keyId": "id",
            "privateKey": "-----BEGIN PRIVATE KEY----- <Key> -----END PRIVATE KEY-----"
          }
        ]
      }
    }
  }
}

then amplify push fails and cloudwatch logs shows internal server error

[Amplifiyer]

@ykethan can you confirm if the issue you are seeing is because of not including the -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----

I found that internal service exception is happening because a required oauth authorized scope was missing from the request which is caused by leaving the requiredSignupAttributes as empty. It needs to have PHONE_NUMBER included in it since that's the signup method for your user pool.

[HappyMakadiyaS]

Hey @Amplifiyer, I have tested again and you are right, this issue is occurring only when requiredSignupAttributes / signupAttributes is empty.

But my current use cases contain multiple authentication methods like email/pass auth, OTP-based Phone number (Custom auth) and Social Sign in. So I can not make it email/phone-number as a required parameter during sign-up.

Do you know why this attribute dependency is for SIWA only and not for other social providers?

[prayingmantislab]

I am facing this issue as well

[amitchaudhary140]

@josefaidt Still facing this issue in both Studio and CLI

[ekreloff]

@HappyMakadiyaS I was able to solve the deployment by making sure the attribute mapping under hostedUIProviderMeta in cli-inputs.json was correct for the apple provider:

"[{\"ProviderName\":\"SignInWithApple\",\"authorize_scopes\":\"email\",\"AttributeMapping\":{\"email\":\"email\"}}]",

[alpha-adam]

@ekreloff THANK YOU SO MUCH ❤️

[ykethan]

Note: Reproduction steps from https://github.com/aws-amplify/amplify-cli/issues/13549#issuecomment-1904694484

~/.amplify/bin/amplify init --yes

echo '{"version":2,"resourceName":"jan22","serviceConfiguration":{"serviceName":"Cognito","includeIdentityPool":true,"identityPoolConfiguration":{"identityPoolName":"testAuthIdentityPool","unauthenticatedLogin":false},"userPoolConfiguration":{"userPoolName":"jan22","signinMethod":"EMAIL","requiredSignupAttributes":[],"userPoolGroups":[],"mfa":{"mode":"OFF"},"passwordPolicy":{"minimumLength":8,"additionalConstraints":["REQUIRE_LOWERCASE","REQUIRE_DIGIT","REQUIRE_SYMBOL","REQUIRE_UPPERCASE"]},"autoVerifiedAttributes":[{"type":"EMAIL","verificationSubject":"Verification code: {####}","verificationMessage":"Verification code: {####}"}],"oAuth":{"domainPrefix":"gnardcpta3i9","redirectSigninURIs":["http://localhost:3000/"],"redirectSignoutURIs":["http://localhost:3000/"],"oAuthGrantType":"CODE","oAuthScopes":["PHONE","EMAIL","OPENID","PROFILE","AWS.COGNITO.SIGNIN.USER.ADMIN"],"socialProviderConfigurations":[{"provider":"SIGN_IN_WITH_APPLE","clientId":"***","teamId":"***","keyId":"***","privateKey":"***"}]}}}}' | ~/.amplify/bin/amplify add auth --headless

~/.amplify/bin/amplify push --yes