Open kristianhalte opened 9 months ago
Thanks for the detailed description of this issue, and for posting a workaround.
I was curious to look into this further because i'm honestly not familiar with cognito personally, and I'm getting a different error when using this code snippet:
const identityPool = new IdentityPool(stack, 'identity-pool', {
allowUnauthenticatedIdentities: false,
authenticationProviders: {
google: {
clientId: '12345678012.apps.googleusercontent.com',
},
},
})
identityPool.addRoleMappings({
providerUrl: IdentityPoolProviderUrl.GOOGLE,
rules: [
{
claim: 'sub',
claimValue: '12345678012',
mappedRole: identityPool.authenticatedRole,
},
],
})
us-east-1:5a7d74f5-93d8-4586-b59c-8f2a25d9f696 already exists in stack arn:aws:cloudformation:us-east-1:676158502875:stack/TagVisitStack/5e666910-63be-11ee-b122-124bf6bff145
Could you help me understand why the cloudformation template generated by this snippet is failing in the first place?
Hi Peter
Thanks for looking into this.
I get the same error message, which I should have probably posted in the first place.
In fact, if you look at your CloudFormation console, you should see two error messages.
First, the one you posted, with the Logical ID of identitypoolRoleMappingAttachmentXXXXXXXXX
and Status CREATE_FAILED
us-east-1:5a7d74f5-93d8-4586-b59c-8f2a25d9f696 already exists in stack arn:aws:cloudformation:us-east-1:676158502875:stack/TagVisitStack/5e666910-63be-11ee-b122-124bf6bff145
[!NOTE] I think the reason we see the
identityPoolId
in this error message, is because that's the return value of aAWS::Cognito::IdentityPoolRoleAttachment
. So it's not the actualAWS::Cognito::IdentityPool
that already exist, but theAWS::Cognito::IdentityPoolRoleAttachment
(I think)From the
AWS::Cognito::IdentityPoolRoleAttachment
official docsWhen you pass the logical ID of this resource to the intrinsic
Ref
function,Ref
returns theIdentityPoolId
, such asus-east-2:0d01f4d7-1305-4408-b437-12345EXAMPLE
.
And the second error, which I originally posted, with the Logical ID of TagVisitStack
and Status UPDATE_ROLLBACK_IN_PROGRESS
The following resource(s) failed to create: [identitypoolRoleMappingAttachmentXXXXXXXXX]. The following resource(s) failed to update: [identitypoolDefaultRoleAttachmentYYYYYYYY].
I believe the addRoleMappings()
is failing, because it wants to create a new AWS::Cognito::IdentityPoolRoleAttachment
(the one named identitypoolRoleMappingAttachmentXXXXXXXXX
), instead of updating the existing identitypoolDefaultRoleAttachmentYYYYYYYY
(which was created during the initiation new IdentityPool()
)
I don't know enough about AWS::Cognito::IdentityPoolRoleAttachment
to say this for sure, but it seems like it's not possible to associate more than one of them to a AWS::Cognito::IdentityPool
.
Describe the bug
I am trying to configure an
IdentityPool
withgoogle
as anauthenticationProviders
and add some customrules
throughroleMappings
.It's neither possible directly through the initiation of the
IdentityPool
, nor later through theaddRoleMappings()
method.Expected Behavior
To be able to add custom
rules
to the default roles during initiation of theIdentityPool
, or add them later with theaddRoleMappings()
methodCurrent Behavior
Getting errors that the
DefaultRoleAttachment
failed to update, so can't create a new oneReproduction Steps
Since this isn't possible
I instead tried this
Possible Solution
I don't have a technical solution to solve this, but I managed to get it working in a not so pretty way
This approach works, but it's not very intuitive and it does have two undesirable outcomes
adminRole
) when we could have just used the defaultAuthenticatedRole