Geek Answers Handbook

AWS Cognito Bad Identity Pool Configuration

I am using the JavaScript Javascript API and trying to get the assigned cognito identifier:

AWS.config.credentials.get(function(err) { if (!err) { console.log("Cognito Identity Id: " + AWS.config.credentials.identityId); } });

Why does this lead to a 400 error with the message below?

 {"__type":"InvalidIdentityPoolConfigurationException","message":"Invalid identity pool configuration. Check assigned IAM roles for this pool."}

I have IAM roles configured for authenticated and unidentified users.

 { "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ] }] }
+15
amazon-web-services amazon-cognito amazon-javascript-sdk
source share
6 answers

The most common cause of this error is because your roles are not configured to trust your identity pool. You must confirm that the identifier pool identifier specified in your trust relationship matches the identifier pool that you are using.

For more information on trust in Amazon Cognito, see our developer guide .

+36
source share

After some digging, I realized that you have to add RoleArn and AccountId to your credentials.

Despite the fact that most of the documentation mentions this as a sufficient amount:

 AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:xxxxx-a87e-46ed-9519-xxxxxxx', });

This was not enough.

I had to do this:

 AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:xxxxx-a87e-46ed-9519-xxxxx', RoleArn: 'arn:aws:iam::xxxxx:role/Cognito_xxxxUsersUnauth_Role', AccountId: 'xxxxxxxxx', // your AWS account ID });

You must specify the ARN of your role for your identity pool.

The only document that mentions this correctly is this .

Wrong:

Maybe I missed something, but this, of course, is confusing.

+22
source share

Check the Trust Relationships section of the role assigned to your identity pool for authentication users. Make sure you have policies that define access to your Cognito pool.

The easiest way to get requirements policy instructions:

  • Change Pool
  • Create a new role for the identity pool
  • In IAM, edit this role to copy policy instructions
  • Add these trusts to the required existing role.
+3
source share

I checked the trust relationships of my roles configured for Authenticated Roles and Non Authenticated Roles for my identity pool several times, but an error still occurred. Having studied the entire configuration of the identifier pool, I realized that in

  • Authentication Providers
    • Cognito
      • Authenticated Role Selection

I selected "Select Role from Token" and my incorrectly configured role was the one that I assigned to the Cognito group for my users. Thus, updating the Trust for this role resolves the issue.

Hope this helps someone :)

0
source share

I ran into this error, and my problem was that my user played an unauthenticated role because I was returning AWSTask (result: nil) from the logins () function in my own CognitoDeveloperIdentityProvider.

0
source share

In my case, I am using the SAML identity provider. The action in the IAM role policy should be: "Action": "sts:AssumeRoleWithSAML" . But this is the root cause of the exception. I have to manually change it to "Action": "sts:AssumeRoleWithWebIdentity" . It turns out that any role created by the Cognito identity pool will use "Action": "sts:AssumeRoleWithWebIdentity" . It will not check your type of identity provider. I think this is a mistake.

0
source share

More articles:


All Articles