Error occurred awaiting for device token to register device with Pinpoint, Invalid identity pool configuration. Check assigned IAM roles for this pool.

[MishaPadalka]

Description

When running app both on Android and iOS I face this issue during the configureAmplify() method which is inside main():

Future<void> main() async {
  final binding = WidgetsFlutterBinding.ensureInitialized();
  await EasyLocalization.ensureInitialized();
  configureDependencies();
  await configureAmplify();
  await _configureFirebase();
  await fetchAuth();
  runApp(....);
}

 Future<void> configureAmplify() async {
  try {
    final auth = AmplifyAuthCognito();
    final api = AmplifyAPI();
    final pushPlugin = AmplifyPushNotificationsPinpoint();

    await Amplify.addPlugin(auth);
    await Amplify.addPlugin(api);
    await Amplify.addPlugin(pushPlugin);

    await Amplify.configure(amplifyconfig);

  } on Exception catch (e) {
    safePrint('An error occurred configuring Amplify: $e');
  }
}

When I remove await Amplify.addPlugin(pushPlugin); I don't receive such error. I use existing resources, here is my amplifyconfig

{
    "UserAgent": "aws-amplify-cli/2.0",
    "Version": "1.0",
     "api": {
        "plugins": {
            "awsAPIPlugin": {
                "DevCubeAirApi": {
                    "endpointType": "GraphQL",
                    "endpoint": "<graphql-endpoint>",
                    "region": "us-east-2",
                    "authorizationType": "AMAZON_COGNITO_USER_POOLS"
       }
      }
     }
    },
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "IdentityManager": {
                    "Default": {}
                },
                "CredentialsProvider": {
                    "CognitoIdentity": {
                        "Default": {
                            "PoolId": "us-east-2:<pool-id>",
                            "Region": "us-east-2"
                        }
                    }
                },
                "CognitoUserPool": {
                    "Default": {
                        "PoolId": "<pool-id>",
                        "AppClientId": "<app-client>",
                        "Region": "us-east-2"
                    }
                },
                "Auth": {
                    "Default": {
                        "authenticationFlowType": "USER_SRP_AUTH",
                        "OAuth": {
                            "WebDomain": "<web-domain>",
                            "AppClientId": "<app-client>",
                            "SignInRedirectURI": "myapp://",
                            "SignOutRedirectURI": "myapp://",
                            "Scopes": [
                                "phone",
                                "email",
                                "openid",
                                "profile",
                                "aws.cognito.signin.user.admin"
                            ]
                        }
                    }
                }
            }
        }
    },
      "notifications": {
    "plugins": {
      "awsPinpointPushNotificationsPlugin": {
        "appId": "<pinpoint-app-id>",
        "region": "us-east-2"
      }
    }
  }
}
''';

Here is AWS cognito identity pool information :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-2:<pool-id>" // same as in the configuration file and cognito identity pool id
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-identity:GetCredentialsForIdentity",
                "mobiletargeting:*",
                "cognito-sync:*",
                "cognito-identity:*"
            ],
            "Resource": "*"
        }
    ]
}

Categories

• [ ] Analytics
• [ ] API (REST)
• [ ] API (GraphQL)
• [ ] Auth
• [ ] Authenticator
• [ ] DataStore
• [X] Notifications (Push)
• [ ] Storage

Steps to Reproduce

Open the app -> run main() -> run configureAmplify() -> error appears

Screenshots

Platforms

• [X] iOS
• [X] Android
• [ ] Web
• [ ] macOS
• [ ] Windows
• [ ] Linux

Flutter Version

3.19.0

Amplify Flutter Version

1.8.0

Deployment Method

Amplify CLI + Custom Pipeline

Schema

No response

[tyllark]

Hello @MishaPadalka thank you for submitting this issue. We will look into this and get back to you!

[tyllark]

Hello @MishaPadalka after review our documentation for setting up push notification we found this excerpt:

Authorizing the app for analytics events is crucial for unauthenticated users, particularly if you intend to configure Amplify or send push notifications to your users before their authentication. If authorization is declined, please keep in mind that updating the Cognito user pool would become necessary, and any subsequent updates could potentially result in the deletion of the current user data.

Your role trust policy seems to be configured to authorization:

"cognito-identity.amazonaws.com:amr": "authenticated"

Could you please try updating you trust policy to "unauthenticated" and let us know if that resolves your issue.

[MishaPadalka]

Hello @tyllark I tried to update the trust policy to unauthenticated but it didn't help, the same error occurs. Maybe there is another option in which this error can occur? Also I wanted to add that during the first ran I receive this error :

, but after hot restart I receive this one

[tyllark]

@MishaPadalka Sorry for the delay. Can you please verify the status of guest access in your identity.

AWS Console -> Cognito -> Identity pools -> Identity pool name -> User access -> Guest access

If guest access is inactive try activating it and verify again that the guest role's trust relationship is unauthenticated.