aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 821 forks source link

Unable to add storage to Amplify app with custom Cognito user pool (using Azure AD IDP) #13662

Closed sumitsahoo closed 7 months ago

sumitsahoo commented 7 months ago

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Storage

Amplify Version

v6

Amplify Categories

storage

Backend

Amplify CLI

Environment information

``` System: OS: macOS 14.4 CPU: (10) arm64 Apple M1 Pro Memory: 230.30 MB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.10.0 - ~/.nvm/versions/node/v20.10.0/bin/node npm: 10.2.3 - ~/.nvm/versions/node/v20.10.0/bin/npm Browsers: Brave Browser: 122.1.63.174 Chrome: 123.0.6312.59 Edge: 122.0.2365.92 Safari: 17.4 npmPackages: @aws-amplify/ui-react: ^6.1.6 => 6.1.6 @aws-amplify/ui-react-internal: undefined () @headlessui/react: ^1.7.18 => 1.7.18 @heroicons/react: ^2.1.1 => 2.1.1 @hookform/resolvers: ^3.3.4 => 3.3.4 @hookform/resolvers/ajv: 1.0.0 @hookform/resolvers/arktype: 1.0.0 @hookform/resolvers/class-validator: 1.0.0 @hookform/resolvers/computed-types: 1.0.0 @hookform/resolvers/io-ts: 1.0.0 @hookform/resolvers/joi: 1.0.0 @hookform/resolvers/nope: 1.0.0 @hookform/resolvers/superstruct: 1.0.0 @hookform/resolvers/typanion: 1.0.0 @hookform/resolvers/typebox: 1.0.0 @hookform/resolvers/valibot: 1.0.0 @hookform/resolvers/vest: 1.0.0 @hookform/resolvers/yup: 1.0.0 @hookform/resolvers/zod: 1.0.0 @reduxjs/toolkit: ^2.2.1 => 2.2.1 @reduxjs/toolkit-query: 1.0.0 @reduxjs/toolkit-query-react: 1.0.0 @reduxjs/toolkit-react: 1.0.0 @types/react: ^18.2.43 => 18.2.48 @types/react-dom: ^18.2.17 => 18.2.18 @vitejs/plugin-react: ^4.2.1 => 4.2.1 @zxing/browser: ^0.1.4 => 0.1.4 @zxing/library: ^0.20.0 => 0.20.0 autoprefixer: ^10.4.17 => 10.4.17 aws-amplify: ^6.0.20 => 6.0.20 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/enable-oauth-listener: undefined () aws-amplify/auth/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () eslint: ^8.55.0 => 8.56.0 eslint-config-prettier: ^9.1.0 => 9.1.0 eslint-plugin-import: ^2.29.1 => 2.29.1 eslint-plugin-react: ^7.33.2 => 7.33.2 eslint-plugin-react-hooks: ^4.6.0 => 4.6.0 eslint-plugin-react-refresh: ^0.4.5 => 0.4.5 moment: ^2.30.1 => 2.30.1 postcss: ^8.4.33 => 8.4.33 prettier: ^3.2.5 => 3.2.5 react: ^18.2.0 => 18.2.0 react-barcode: ^1.4.6 => 1.4.6 react-dom: ^18.2.0 => 18.2.0 react-hook-form: ^7.50.1 => 7.50.1 react-qr-code: ^2.0.12 => 2.0.12 react-redux: ^9.1.0 => 9.1.0 react-router-dom: ^6.22.1 => 6.22.1 tailwindcss: ^3.4.1 => 3.4.1 vite: ^5.0.8 => 5.0.12 vite-plugin-pwa: ^0.17.5 => 0.17.5 yup: ^1.3.3 => 1.3.3 npmGlobalPackages: corepack: 0.22.0 npm: 10.2.3 pm2: 5.3.0 ```

Describe the bug

We are unable to add storage into our Amplify app. If you refer aws-amplify/amplify-js#13119, we have set the login using a custom user pool with SAML federated identity provider i.e. Azure AD. We also have defined a Hosted UI with required details and we are now able to login successfully. But when we try to add storage either from Amplify Studio or CLI we get below error message.

Error: Invalid Auth configuration. Your imported Auth resource does not have an identity pool. Please add an identity pool before setting up Storage.

Screenshot:

Amplify Studio:

Screenshot 2024-03-20 at 4 25 12 PM

Amplify CLI:

Screenshot 2024-03-20 at 4 30 52 PM

Expected behavior

Storage should get added without error.

Reproduction steps

  1. Create a user pool with SAML provider (Azure AD)
  2. Define a client with Hosted UI and add metadata URL from Azure
  3. Import the user pool in Amplify as Auth
  4. Try to add storage

Code Snippet

amplify add storage

Log output

NA

aws-exports.js

No response

Manual configuration

Amplify.configure({
    Auth: {
        Cognito: {
            userPoolClientId: 'xxxx',
            userPoolId: 'eu-west-1_xxxx',
            loginWith: {

                oauth: {
                    domain: 'xxxx.amazoncognito.com',
                    scopes: ['openid email aws.cognito.signin.user.admin'],
                    redirectSignIn: ['http://localhost:5173'],
                    redirectSignOut: ['http://localhost:5173'],
                    responseType: 'code',
                },

            },
        },
    },
    API: {
        GraphQL: {
            endpoint:
                'https://xxxx.eu-west-1.amazonaws.com/graphql',
            region: 'eu-west-1',
            // Set the default auth mode to "userPool"
            defaultAuthMode: 'userPool',
        },
    },
});

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

sumitsahoo commented 7 months ago

@israx Created this new bug report

nadetastic commented 7 months ago

Hi @sumitsahoo im going to transfer this over to the CLI repo for better assistance.

ykethan commented 7 months ago

Hey @sumitsahoo, are you importing an Cognito identity pool on amplify import auth? The storage category requires an identity pool on the auth resource to be setup.

sumitsahoo commented 7 months ago

@ykethan Yes I have tried to create and attach the user pool as seen from the screenshot below but no luck. I even tried to remove and then re-add auth after adding the identity pool. Do we have any documentation that I can follow?

Screenshot 2024-03-22 at 9 27 02 AM SCR-20240322-itww
ykethan commented 7 months ago

@sumitsahoo thank you for the screenshots, noticed the Guest access/unauthenticated role has not been enabled. Could enable Guest access and re-import the auth user pool and identity pool.

https://github.com/aws-amplify/amplify-cli/blob/52aea18fddd95af6f855d1c6d9e3e4b16a8d1146/packages/amplify-category-storage/src/provider-utils/awscloudformation/service-walkthroughs/s3-auth-api.ts#L56

sumitsahoo commented 7 months ago

@ykethan Yes you were right. I did not select guest access as we do not have any uses for it. After I added guest access, I can set up storage. Screenshot below. But is this a bug? Do we always have to enable guest access even though we do not need it?

SCR-20240322-rlwh
ykethan commented 7 months ago

@sumitsahoo this is currently the expected behavior, if you do not require the unauthenticated access you can configure the role without any policies attached.

sumitsahoo commented 7 months ago

@ykethan Thanks for the help. Closing the case.

github-actions[bot] commented 7 months ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.