amplify-cli: Analytics role not working
Before opening, please confirm:
- I have searched for duplicate or closed issues and discussions.
- I have read the guide for submitting bug reports.
- I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
JavaScript Framework
Angular
Amplify APIs
Authentication, Analytics, REST API, GraphQL API, DataStore, Storage
Amplify Categories
auth, analytics
Environment information
# Put output below this line
Describe the bug
Hi I just added the analytics category to my app and Im getting this error ERROR Error: Uncaught (in promise): User: arn:aws:sts::XXXXX:assumed-role/us-east-2_qVBo3N2qI-AdminGroupRole/CognitoIdentityCredentials is not authorized to perform: mobiletargeting:PutEvents on resource: arn:aws:mobiletargeting:us-east-1:XXXXXX:apps/4a167a45b9784eba813852e3f3c86205/events User: arn:aws:sts::704766592508:assumed-role/us-east-2_qVBo3N2qI-AdminGroupRole/CognitoIdentityCredentials is not authorized to perform: mobiletargeting:PutEvents on resource: arn:aws:mobiletargeting:us-east-1:704766592508:apps/4a167a45b9784eba813852e3f3c86205/events
also im getting this warning AWSPinpointProvider - Please ensure you have updated your Pinpoint IAM Policy with the Action: “mobiletargeting:PutEvents” in order to record events
Expected behavior
Events being recorded as expected
Reproduction steps
Add the analytics category Add the record event as shown in the docs
Code Snippet
// Put your code below this line.
Log output
// Put your logs below this line
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
About this issue
- Original URL
- State: open
- Created 2 years ago
- Comments: 15 (4 by maintainers)
For us, the problem was that we added the “Pre token generation Lambda trigger” so taking that out made it work again.
Looking at it closer, we missed that the groupOverrideDetails needed to include the requests iam groups so we were clobbering them off. spreading the groupConfiguration over the overrideDetails and then including our updates fixed it up.
I thought the issue is the same as https://github.com/aws-amplify/amplify-cli/issues/4772 and was fixed in https://github.com/aws-amplify/amplify-cli/pull/10455, but it seems the bug still exists.
@jedwardblack Yup! that’s how we did it.
I resolved this. The root issue was that we are using Cognito groups as demonstrated in https://docs.amplify.aws/cli/auth/groups/#group-access-controls. When users are logged in - they assume an IAM role based on their Cognito group. The CLI and generated cloudformation doesn’t update the policies for these roles when you add Pinpoint analytics. The solution was to add “customPolicies” to the
auth/user-pool-group-precedence.jsonfile.@sergiorodriguez82 - could you share the snippet where you are calling
Analytics.configure? Thanks!