Cognito stack fails for Default Authenticated role for Identity Pool

[Nikola-Milovic]

Hello everyone, I am running a trial pro version of localstack, and I would mostly like to use it with CDK . I tried to set up a basic Cognito auth stack but it fails on deployment without any tangible information.

 ❌  AuthStack failed: Error: The stack named AuthStack failed to deploy: CREATE_FAILED (Deployment failed)
    at FullCloudFormationDeployment.monitorDeployment (/home/nikola/.nvm/versions/node/v18.16.0/lib/node_modules/aws-cdk/lib/index.js:426:10236)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/home/nikola/.nvm/versions/node/v18.16.0/lib/node_modules/aws-cdk/lib/index.js:429:153380)
    at async /home/nikola/.nvm/versions/node/v18.16.0/lib/node_modules/aws-cdk/lib/index.js:429:137002

I tried deploying to AWS itself and it works as expected.

I created a (hopefully) reproducible demo with a README and more information

My presumption is that something I am using is not supported fully, but not sure what

From the debug output

localstack_main  | 2023-08-16T18:17:47.292 DEBUG --- [uncthread118] l.s.c.e.template_deployer  : Request for resource type "AWS::Cognito::IdentityPool" in region eu-central-1: create_identity_pool {'AllowUnauthenticatedIdentities': False, 'CognitoIdentityProviders': [{'ClientId': 'j0wdbrm483heaohy3xf5gdoe7d', 'ProviderName': 'cognito-idp.eu-central-1.localhost.localstack.cloud/eu-central-1_d351c03fe17d4de29415618e6d992669', 'ServerSideTokenCheck': True}], 'IdentityPoolName': 'TenantIdentityPoolE1470838-cf0f97a1'}
localstack_main  | 2023-08-16T18:17:47.317 DEBUG --- [uncthread118] l.s.c.e.template_deployer  : Extract resource attribute: AWS::Cognito::IdentityPool PhysicalResourceId
localstack_main  | 2023-08-16T18:17:47.433 DEBUG --- [uncthread118] l.s.c.e.template_deployer  : Extract resource attribute: AWS::Cognito::IdentityPool Name
localstack_main  | 2023-08-16T18:17:47.434  WARN --- [uncthread118] l.s.c.e.template_deployer  : Unable to extract reference attribute "Name" from resource: {'IdentityPoolId': 'eu-central-1:3aaa944f-7546-4f35-a1b3-9c2526aa739a', 'IdentityPoolName': 'TenantIdentityPoolE1470838-cf0f97a1'} {'Type': 'AWS::Cognito::IdentityPool', 'DependsOn': ['TenantUserPool3CC661A0', 'WebTenantUserPoolClient3DA4FA54'], 'Metadata': {'aws:cdk:path': 'AuthStack/TenantIdentityPool/Resource'}, 'LogicalResourceId': 'TenantIdentityPoolE1470838', 'Properties': {'AllowUnauthenticatedIdentities': False, 'CognitoIdentityProviders': [{'ClientId': 'j0wdbrm483heaohy3xf5gdoe7d', 'ProviderName': 'cognito-idp.eu-central-1.localhost.localstack.cloud/eu-central-1_d351c03fe17d4de29415618e6d992669', 'ServerSideTokenCheck': True}], 'IdentityPoolName': 'TenantIdentityPoolE1470838-cf0f97a1'}, '_state_': {'IdentityPoolId': 'eu-central-1:3aaa944f-7546-4f35-a1b3-9c2526aa739a', 'IdentityPoolName': 'TenantIdentityPoolE1470838-cf0f97a1'}, 'PhysicalResourceId': 'eu-central-1:3aaa944f-7546-4f35-a1b3-9c2526aa739a'}
localstack_main  | 2023-08-16T18:17:47.435 DEBUG --- [uncthread118] l.s.c.e.template_deployer  : Error applying changes for CloudFormation stack "AuthStack": Cannot resolve CF fn::Join {'Fn::Join': ['', ['Default Authenticated Role for Identity Pool ',{'Fn::GetAtt': ['TenantIdentityPoolE1470838', 'Name']}]]} due to null values: ['Default Authenticated Role for Identity Pool ', None] Traceback (most recent call last):
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 1336, in _run
localstack_main  |     self.do_apply_changes_in_loop(changes, stack)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 1385, in do_apply_changes_in_loop
localstack_main  |     should_deploy = self.prepare_should_deploy_change(
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 1454, in prepare_should_deploy_change
localstack_main  |     resolve_refs_recursively(stack, resource)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack_ext/services/cloudformation/cloudformation_extended.py.enc", line 34, in resolve_refs_recursively
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/utils/functions.py", line 80, in func
localstack_main  |     return wrapped(*args, **kwargs)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 348, in resolve_refs_recursively
localstack_main  |     result = _resolve_refs_recursively(stack, value)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/utils/functions.py", line 80, in func
localstack_main  |     return wrapped(*args, **kwargs)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 547, in _resolve_refs_recursively
localstack_main  |     value[key] = resolve_refs_recursively(stack, val)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack_ext/services/cloudformation/cloudformation_extended.py.enc", line 34, in resolve_refs_recursively
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/utils/functions.py", line 80, in func
localstack_main  |     return wrapped(*args, **kwargs)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 348, in resolve_refs_recursively
localstack_main  |     result = _resolve_refs_recursively(stack, value)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/utils/functions.py", line 80, in func
localstack_main  |     return wrapped(*args, **kwargs)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 547, in _resolve_refs_recursively
localstack_main  |     value[key] = resolve_refs_recursively(stack, val)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack_ext/services/cloudformation/cloudformation_extended.py.enc", line 34, in resolve_refs_recursively
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/utils/functions.py", line 80, in func
localstack_main  |     return wrapped(*args, **kwargs)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 348, in resolve_refs_recursively
localstack_main  |     result = _resolve_refs_recursively(stack, value)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/utils/functions.py", line 80, in func
localstack_main  |     return wrapped(*args, **kwargs)
localstack_main  |   File "/opt/code/localstack/.venv/lib/python3.10/site-packages/localstack/services/cloudformation/engine/template_deployer.py", line 444, in _resolve_refs_recursively
localstack_main  |     raise Exception(
localstack_main  | Exception: Cannot resolve CF fn::Join {'Fn::Join': ['', ['Default Authenticated Role for Identity Pool ', {'Fn::GetAtt': ['TenantIdentityPoolE1470838', 'Name']}]]} due to null values: ['Default Authenticated Role for Identity Pool ',None]
localstack_main  |
localstack_main  |
localstack_main  | 2023-08-16T18:17:47.517  WARN --- [   asgi_gw_0] localstack.aws.accounts    : Ignoring production AWS credentials provided to LocalStack. Falling back to default account ID.
localstack_main  | 2023-08-16T18:17:47.524  INFO --- [   asgi_gw_0] localstack.request.aws     : AWS cloudformation.DescribeStackEvents => 200
localstack_main  | 2023-08-16T18:17:49.567  WARN --- [   asgi_gw_0] localstack.aws.accounts    : Ignoring production AWS credentials provided to LocalStack. Falling back to default account ID.
localstack_main  | 2023-08-16T18:17:49.574  INFO --- [   asgi_gw_0] localstack.request.aws     : AWS cloudformation.DescribeStackEvents => 200
localstack_main  | 2023-08-16T18:17:50.533  WARN --- [   asgi_gw_1] localstack.aws.accounts    : Ignoring production AWS credentials provided to LocalStack. Falling back to default account ID.
localstack_main  | 2023-08-16T18:17:50.537  INFO --- [   asgi_gw_1] localstack.request.aws     : AWS cloudformation.DescribeStacks => 200
localstack_main  | 2023-08-16T18:17:50.546  WARN --- [   asgi_gw_0] localstack.aws.accounts    : Ignoring production AWS credentials provided to LocalStack. Falling back to default account ID.

[whummer]

Hi @Nikola-Milovic , thanks for providing the reproducible sample.

We just gave this a try, and seems that it works with the latest version of LocalStack:

$ cdklocal bootstrap
...
$ cdklocal deploy
...
AuthStack: creating CloudFormation changeset...

 ✅  AuthStack

✨  Deployment time: 5.07s

Outputs:
...
$ awslocal iam list-roles | grep 'Default Authenticated'
            "Description": "Default Authenticated Role for Identity Pool TenantIdentityPoolE1470838-e3b7e177",

There have been a couple of enhancements in our CloudFormation implementation recently. When you get a chance, can you please try pulling the latest Docker image and give it another try? Thanks for your help!

[Nikola-Milovic]

@whummer Seems to be fixed, just tried to add identity pool and it works as expected, thanks!

This issue can be closed as well probably

https://github.com/localstack/localstack/issues/8933#issuecomment-1682867912

[whummer]

Awesome, glad to hear that. Please keep us posted if there are any other questions or issues. 👍