Logged user part of a Cognito Group can't access Pinpoint Analytics

[giorgiocarniel]

Describe the bug I've added Analytics in my Amplify React project, but Pinpoint seems to be accessible just when the user is logged out of the application. When the user (which is part of the Cognito Group called Users) log in, then Pinpoint endpoint is not accessible.

To Reproduce

1. Have an application that manage users login/signup with Cognito
2. Track something with the Analytics module

   
   import Amplify, { Analytics } from "aws-amplify";

Analytics.autoTrack('session', { enable: true, });

Analytics.autoTrack('pageView', { enable: true, type: 'SPA', });

Analytics.enable();

3. Log in to the application
4. See errors
![pinport_response](https://user-images.githubusercontent.com/69838480/108741574-29362f00-7537-11eb-9741-73a0b453555f.png)

**Expected behavior**
Pinpoint should be accessible even when the logged user is part of a Cognito group.

**What is Configured?**

"@aws-amplify/cli": "^4.44.0",
"amplify": "0.0.11",
"aws-amplify": "^3.3.17",
"aws-amplify-react": "^4.2.21",

const awsmobile = { "aws_project_region": "eu-central-1", "aws_cognito_identity_pool_id": "eu-central-1:fakeidhere", "aws_cognito_region": "eu-central-1", "aws_user_pools_id": "eu-central-1_mTK868686", "aws_user_pools_web_client_id": "7il2ujdhd41cng1cng1cng1cng", "oauth": {}, "federationTarget": "COGNITO_IDENTITY_POOLS", "aws_cloud_logic_custom": [ { "name": "AdminQueries", "endpoint": "https://fakeid.execute-api.eu-central-1.amazonaws.com/devgca", "region": "eu-central-1" }, ....other rest apis ], "aws_appsync_graphqlEndpoint": "https://fakeid.appsync-api.eu-central-1.amazonaws.com/graphql", "aws_appsync_region": "eu-central-1", "aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS", "aws_mobile_analytics_app_id": "6ccc310d910d910d910d910d910d910d", "aws_mobile_analytics_app_region": "eu-central-1", "aws_user_files_s3_bucket": "7976da3c2209cf6940b79767976797627976154316-devgca", "aws_user_files_s3_bucket_region": "eu-central-1" };

[giorgiocarniel]

I think the fact that I have also the storage module on my amplify app somehow interferes with this error. The IAM role shown on the error (eu-central-1_mTK86ikIv-UsersGroupRole) has just one policy attached, that is the one created by the storage module.

I'm still unable to find a solution for this problem through Amplify...

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

[giorgiocarniel]

It's not closed

[cwomack]

Hey @giorgiocarniel, apologies for how long it's taken for us to get you a response on this issue. Given the time elapsed since you opened this, were you able to resolve the issue?

If not, that error message usually means that the IAM role doesn't have the proper permissions for the mobiletargeting:PutEvents and mobiletargeting:UpdateEndpoint actions. Can you check your auth and unauth roles for your app within IAM and see if they have proper PutEvents permissions?

An example of the policy's JSON format (with your arn's and resources included) can be found within the Pinpoint console for your app. If you click on the left panel under Settings > Web app analytics > "To integrate the AWS Amplify LIbrary into your web apps" you'll see some links to documentation and a sample policy you can give to your role missing the permissions.

[cwomack]

Closing this issue as we have not heard back from you. If you are still experiencing this, please feel free to reply back and provide any information previously requested and we'd be happy to re-open the issue.

Thank you!