search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.34k stars 3.76k forks source link

aws-cognito: Invalid write attribute for client #20760

Open jbhammon opened 2 years ago

jbhammon commented 2 years ago

Describe the bug

Creating a writeable custom attribute on a User Pool Client results in an error when deploying.

Expected Behavior

Custom attributes are able to be made writeable in User Pool Clients just like standard attributes are.

Current Behavior

Error output from deploy command:

8:37:09 AM | CREATE_FAILED        | AWS::Cognito::UserPoolClient             | LocalUserPoolEncoreClientD9A7741D
Invalid write attributes specified while creating a client (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: ef50ac13-2935-4fc2-91e4-216daad7f183; Proxy: null)

 ❌  EncoreStack-local failed: Error: The stack named EncoreStack-local failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Invalid write attributes specified while creating a client (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: ef50ac13-2935-4fc2-91e4-216daad7f183; Proxy: null)
    at prepareAndExecuteChangeSet (/Users/jackson/dev/enc-perf-web/cdk/node_modules/aws-cdk/lib/api/deploy-stack.ts:385:13)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at CdkToolkit.deploy (/Users/jackson/dev/enc-perf-web/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:209:24)
    at initCommandLine (/Users/jackson/dev/enc-perf-web/cdk/node_modules/aws-cdk/lib/cli.ts:341:12)

The stack named EncoreStack-local failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Invalid write attributes specified while creating a client (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: ef50ac13-2935-4fc2-91e4-216daad7f183; Proxy: null)

Reproduction Steps

Create an instance of this class as part of a Stack

export class EncoreUserPool extends Construct {
  readonly userPool: cognito.UserPool;
  readonly userPoolClient: cognito.UserPoolClient;

  constructor(scope: Construct, id: string, props: EncoreUserPoolProps) {
    super(scope, id);

    this.userPool = new cognito.UserPool(this, "UserPool", {
      // ...rest
      standardAttributes: {
        email: { required: true, mutable: true },
      },
      customAttributes: {
        existsInDjango: new cognito.StringAttribute({ mutable: true }),
      },
    });

    // source of the error
    const clientWriteAttributes = new cognito.ClientAttributes().withCustomAttributes("existsInDjango");

    const clientReadAttributes = clientWriteAttributes.withStandardAttributes(
      // some standard attributes here
    );

    this.userPoolClient = this.userPool.addClient("ClientPool", {
      // ...rest
      readAttributes: clientReadAttributes,
      writeAttributes: clientWriteAttributes,
    });
  }
}

Possible Solution

No response

Additional Information/Context

The User Pool is being created no problem, the issues arises from trying to make the existsInDjango custom attribute writeable. Stack deploys just fine when that line is not included.

CDK CLI Version

2.28.0

Framework Version

aws-cdk@2.28.0

Node.js Version

16.13.1

OS

macOS 12.4

Language

Typescript

Language Version

typescript@3.9.10

Other information

No response

corymhall commented 2 years ago

@jbhammon it looks like this may be because you are specifying a required mutable standard attribute when creating the user pool, but it isn't included in the client write attributes. Can you try

const clientWriteAttributes = new cognito.ClientAttributes().withCustomAttributes("existsInDjango").withStandardAttributes({ email: true });
jbhammon commented 2 years ago

Ah, thanks, seems like that did the trick.

I'll like to propose a change to the cdk docs to make note of this:

specifying a required mutable standard attribute when creating the user pool

Should I open a new issue to track that, or make note of it here somehow?

peterwoodworth commented 2 years ago

@jbhammon we can use this issue to track the docs fix. If you'd like to see this fixed soon I recommend checking out our contributing guide and opening a PR!

jbhammon commented 2 years ago

Awesome, will do soon, thanks!

felixelgato92 commented 1 year ago

In case this helps anyone, I had a custom attribute "name". I didn't notice it already existed in the standard cognito attributes (I thought it only used givenName and familyName). This error message could be more helpful if it included which attribute is the one causing the issue.

cchanche commented 8 months ago

From cognito docs :

In the app client settings for your application, the mapped attributes [from the user-pool] must be writable.

@jbhammon 's issue was resolved not because his mapped email attribute was required & mutable, but simply because it existed in the pool's standard attributes, and was not specified as writable in his client config.

You could also see this when navigating Attribute read and write permissions in the AWS console, and looking at the disabled checkboxes : enabled & disabled checkboxes in the write column should relate to mapped standard attributes from the user-pool.

Hope it helps :pray: