amplify-cli: Adding social sign-on to preexisting cognito pool fails

Before opening, please confirm:

  • I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
  • I have searched for duplicate or closed issues.
  • I have read the guide for submitting bug reports.
  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

How did you install the Amplify CLI?

yarn

If applicable, what version of Node.js are you using?

v12.9.0

Amplify CLI Version

4.51.2

What operating system are you using?

Mac

Amplify Categories

auth

Amplify Commands

push

Describe the bug

Hi there,

Our team is currently blocked on adding social sign on to our backend which has a preexisting cognito pool.

Amplify CLI version: 4.51.2

Stack Trace from CloudWatch log:

2021-05-24T04:20:59.370Z 411e5301-4f6e-4cef-afc9-f1711cfc969a INFO NotAuthorizedException: Error calling iam:PutRolePolicy API. Make sure credentials calling the API allow 'cognito-idp.amazonaws.com' to call this API. at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27) at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)

IAM Policy for the account configured with amplify:

is the same as described here: https://docs.amplify.aws/cli/usage/iam

Which includes the iam:PutRolePolicy.

Seeing error:

CREATE_IN_PROGRESS OAuthCustomResourceInputs Custom::LambdaCallout Sun May 23 2021 21:21:00 GMT-0700 (Pacific Daylight Time) Resource creation Initiated                                                                                                                                                                                               
CREATE_FAILED      OAuthCustomResourceInputs Custom::LambdaCallout Sun May 23 2021 21:21:00 GMT-0700 (Pacific Daylight Time) Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/05/24/[$LATEST]88f8d7204e8942cda2df860c793a2a47 (RequestId: 40a21d3a-eeb5-4ded-bf68-64c3c7efcd43)
⠼ Updating resources in the cloud. This may take a few minutes...

UPDATE_ROLLBACK_IN_PROGRESS xxx AWS::CloudFormation::Stack Sun May 23 2021 21:21:01 GMT-0700 (Pacific Daylight Time) The following resource(s) failed to create: [OAuthCustomResourceInputs]. 
⠋ Updating resources in the cloud. This may take a few minutes...

UPDATE_FAILED               xxx AWS::CloudFormation::Stack Sun May 23 2021 21:21:15 GMT-0700 (Pacific Daylight Time) Embedded stack xxx was not successfully updated. Currently in UPDATE_ROLLBACK_IN_PROGRESS with reason: The following resource(s) failed to create: [OAuthCustomResourceInputs].

Expected behavior

The push is successful and social sign-on is added as a feature to our cognito pool.

Reproduction steps

  1. Step through CLI to add social sign on by running amplify update auth
  2. run amplify push

GraphQL schema(s)

N/A

Log output

N/A

Additional information

N/A

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 38 (18 by maintainers)

Most upvoted comments

Hey @yannikw23 I’m still investigating the cause of the issue. Yes, I have received the necessary files, thank you for sending those over!

+1
josefaidt on Sep 21, 2021

@yannikw23 no worries! I appreciate the information! I went back and set something up with 4.42, but now trying to use 4.2. I’ll report back shortly

+1
josefaidt on Sep 14, 2021

Exact same cloud watch log I see as well!

+1
bmvdeveloper on Sep 14, 2021

@josefaidt, thanks a lot for your prompt response! I have an existing application with an existing UserPool for which currently only email/password sign up is enabled. Now, I wanted to add Sign in with Apple.

$ amplify auth update
Please note that certain attributes may not be overwritten if you choose to use defaults settings.

You have configured resources that might depend on this Cognito resource.  Updating this Cognito resource could have unintended side effects.

Using service: Cognito, provided by: awscloudformation
 What do you want to do? Apply default configuration with Social Provider (Federation)
 What domain name prefix do you want to use? mXXX
 Enter your redirect signin URI: http://localhost:3000/signin/
? Do you want to add another redirect signin URI No
 Enter your redirect signout URI: http://localhost:3000/signout/
? Do you want to add another redirect signout URI No
 Select the identity providers you want to configure for your user pool: Sign in with Apple
  
 You've opted to allow users to authenticate via Sign in with Apple. If you haven't already, you'll need to go to https://developer.apple.com/account/#/welcome and configure Sign in with Apple. 
 
 Enter your Services ID for your OAuth flow:  com.XXX.sid
 Enter your Team ID for your OAuth flow:   XXX
 Enter your Key ID for your OAuth flow:  XXX
 Enter your Private Key for your OAuth flow:  -----BEGIN PRIVATE KEY----- XXX -----END PRIVATE KEY-----
Successfully updated auth resource XXX6e84eedb locally

So up until this point, it runs smoothly. However, when I want to amplify push it, I receive the errors described above:

CREATE_FAILED OAuthCustomResourceInputs Custom::LambdaCallout Tue Sep 14 2021 13:32:44 GMT+0200 (Central European Summer Time) Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/09/14/[$LATEST]XXX (RequestId: XXX)

The CloudWatch logs show this error message: "message": "Error calling iam:PutRolePolicy API. Make sure credentials calling the API allow 'cognito-idp.amazonaws.com' to call this API.".

As I am not sure which resource should receive the PutRolePolicy I don’t really know how to proceed here…

I’m authenticated with the CLI using an AWS profile.

Please let me know if I can provide any more info that would help you!

+1
yannikw23 on Sep 14, 2021

Hi @josefaidt! I’m currently stuck at the exact same problem. Walking through Apply default configuration with Social Provider (Federation) --> Sign in with Apple and amplify push afterwards always fails with this output:

CREATE_FAILED OAuthCustomResourceInputs Custom::LambdaCallout Tue Sep 14 2021 13:32:44 GMT+0200 (Central European Summer Time) Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/09/14/[$LATEST]XXX (RequestId: XXX)

The CloudWatch logs show this error message: "message": "Error calling iam:PutRolePolicy API. Make sure credentials calling the API allow 'cognito-idp.amazonaws.com' to call this API.".

As I am not sure which resource should receive the PutRolePolicy I don’t really know how to proceed here…

Any update / help is really appreciated.

+1
yannikw23 on Sep 14, 2021
Read more comments on GitHub
← amplify-cli: Adding new environment results in Cognito creation error
amplify-cli: Allowing multiple redirectSignIn/redirectSignOut urls breaks federated auth →