Closed ankon closed 2 years ago
pb0101
commented
2 years ago Thank you for identifying and submitting this issue. We have addressed this issue in our CloudFormation templates so user pools should now allow to be created with TOTP as the only MFA enabled.
mousedownmike
commented
1 year ago In case anyone gets here and thinks there may be a regression... I was getting this error while updating my templates because I still had a SmsConfiguration block in my resource definition.
UserPool:
Type: AWS::Cognito::UserPool
Properties:
AutoVerifiedAttributes:
- email
MfaConfiguration: OPTIONAL
EnabledMfas:
- SOFTWARE_TOKEN_MFA
Schema:
- Name: email
AttributeDataType: String
Mutable: true
Required: true
# These were the ones that threw the error....
SmsConfiguration:
SnsCallerArn: !GetAtt SmsRole.Arn
ExternalId: !Ref smsExternalId
Scope of request
AWS::Cognito::UserPool-MfaConfiguration assumes phone/SMS validation, it is not possible to configure a user pool with TOTP validation.
Expected behavior
I expected to be able to set
MfaConfigurationtoOPTIONAL,EnabledMfastoSOFTWARE_TOKEN_MFAandAutoVerifiedAttributesto includeemail, and then have the user pool allow for enabling TOTP MFA.Suggest specific test cases
Right now this gives
SMS configuration and Auto verification for phone_number are required when MFA is required/optional.Helpful Links to speed up research and evaluation
Seems to be confirmed "missing feature" by AWS at https://github.com/aws/aws-cli/issues/3876#issuecomment-456998093.
Category
Use the categories as displayed in the AWS Management Console (simplified):