Support attributes for access control for Cognito identity providers

[dorontal]

Before opening, please confirm:

• [X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
• [X] I have searched for duplicate or closed issues.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• [X] I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

yarn

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

7.6.19

What operating system are you using?

Debian 11

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

After setting-up attributes for access control [ as described, in general, in this AWS article but the change I made is described more specifically in this comment of this issue ] no user can sign in successfully into the app via the usual email/password Auth flow.

If I remove the attributes for access control first step, this issue goes away - users can sign in with no problems.

But adding attributes for access control causes the authentication to fail with errors (in Android) like "failed to federate token".

Amplify Categories

auth

Amplify Commands

Not applicable

Describe the bug

After setting-up attributes for access control [ as described, in general, in this AWS article but the change I made is described more specifically in this comment of this issue, which you only need to follow up to and including step 2 ] no user can sign in successfully into the app via the usual email/password Auth flow.

If I remove the attributes for access control first step, this issue goes away - users can sign in with no problems.

But adding attributes for access control causes this issue to come up.

Expected behavior

I expected that when you add attributes for access control to your project and map cognitoId --> sub using this mechanism, as described here - this would not interfere with the Amplify Auth category's behavior. I expected these two - Amplify + attributes-for-access-control - could be used together in the same project.

Reproduction steps

1. Set up a simple email / password auth Amplify app.
2. Add attributes for access control as described in this comment of this issue. NOTE you only need to follow up to and including step 2.
3. Now try to have a signed-up user sign-in to your app and you'll get this issue.

GraphQL schema(s)

```graphql # Put schemas below this line ```

Log output

``` # Put your logs below this line ```

Additional information

This issue was originally showing up in an Amplify-Flutter app so I reported it in the amplify-flutter repository. However , at the time it was reported there, I did not know that it had nothing to do with Flutter. I now closed that old issue, but it has a lot of logs and other info that may be relevant to this one. Here is the previous version of this issue with some more logs and details.

[edwardfoyle]

Hi @dorontal Amplify currently doesn't support attributes for access control for identity providers. Marking this as a feature request

[sebsto]

Hello @edwardfoyle and team.

IMHO, there is a legitimate use case to add support for mmaped attributes between Cognito User Pool and Cognito Identity Pool.

I develop an Amplify app that uses an AWS SDK to call EC2 API. I want to create an IAM policy that has a resource conditions to limit access to resources tagged for specific users.

To enable that, I must enable attributes mapping on the Identity pool to bring Cognito User Pool attributes to the Identity pool, which is the only one visible (actionable) from IAM policies.