amplify-cli: Cognito Trigger templates' return and permissions issue

Before opening, please confirm:

I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
I have searched for duplicate or closed issues.
I have read the guide for submitting bug reports.
I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

How did you install the Amplify CLI?

yarn

If applicable, what version of Node.js are you using?

16.3

Amplify CLI Version

5.0.1

What operating system are you using?

Mac

Amplify Categories

auth

Amplify Commands

Not applicable

Describe the bug

Return Issue

Trigger’s index.js file calls module handlers by passing handler(event, context, callback) without a return, and inside the “module” file (i.e. add-to-group.js) callback is not utilized and response is not returned.

message: “Invalid lambda function output : Invalid JSON” __type: “InvalidLambdaResponseException”

cognito add-to-user trigger https://github.com/aws-amplify/amplify-cli/issues/7576#issuecomment-865924364
mock-related https://github.com/aws-amplify/amplify-cli/issues/7531
https://github.com/aws-amplify/amplify-cli/issues/7179

Permission Issue

In the add-to-group Cognito trigger template, it makes a call to create a group, however these permissions are missing https://github.com/aws-amplify/amplify-cli/issues/7576#issuecomment-865912228

Expected behavior

Template trigger files should return out-of-the-box and appropriate permissions are attached.

Reproduction steps

(follow steps in issues noted above)

GraphQL schema(s)

# Put schemas below this line

Log output

# Put your logs below this line

Additional information

No response

About this issue

Original URL
State: open
Created 3 years ago
Reactions: 2
Comments: 22 (3 by maintainers)

Most upvoted comments

I’m having the same issue with the circular dependencies, but trying to get access to a DynamoDB table with still no luck, only getting errors when trying to deploy.

I think it’s extremely bad that this issues has been around since 2019 and there’s still no actual fix in the roadmap, we need to do this ‘hacky’ way to do things as simple as reading from a database before a user signs-up.

Even the official documentation has a way of doing this use case, but this wouldn’t work on a real world scenario as the selected triggers through the console will be overwritten every time you update any other. I think this should be prioritized as it renders the trigger functions basically useless except for really basic operations like sending e-mails.

+10

jerocosio on Sep 22, 2022

I “solved” this by modifying custom-policies.json as follows:

[
  {
    "Effect": "Allow",
    "Action": [
      "cognito-idp:CreateGroup",
      "cognito-idp:AdminAddUserToGroup"
    ],
    "Resource": [
      "<MY HARD-CODED USERPOOL ARN FROM THE ERROR MESSAGE>"
    ]
  }
]

scottmcmaster on Mar 9, 2022

Amplify team, wanted to ask what’s your approach to semi-permanent bugs like this, when Cognito trigger Lambdas can not access GraphQL API? Like everybody else, I’ve run into number of these, I slowly find and implement workarounds - great its there… somewhere. And sometimes they are in triple-chained closed issues like this one.

This is however a very inefficient process of development. These issues been around for so long time that maybe you can get fixed links and the solutions discovered more easily? I’d rather go via official docs that links outstanding ticket that comb through outstanding ticket trying to find a solution to a common problem

OperationalFallacy on Jan 8, 2024

@acusti Since “Resource” is an array, you can just add each of your user pool ARNs in that array.

[
  {
    "Action": [
      "cognito-idp:AdminAddUserToGroup",
      "cognito-idp:CreateGroup",
      "cognito-idp:GetGroup"
    ],
    "Resource": [
      "<DEV USERPOOL ARN>",
      "<MAIN USERPOOL ARN>",
    ]
  }
]

jedwardblack on May 22, 2022

@scottmcmaster’s workaround worked for me, though i had to also add "cognito-idp:GetGroup" to the Action array:

[
  {
    "Action": [
      "cognito-idp:AdminAddUserToGroup",
      "cognito-idp:CreateGroup",
      "cognito-idp:GetGroup"
    ],
    "Resource": [
      "<HARD-CODED USERPOOL ARN FROM THE ERROR MESSAGE>"
    ]
  }
]

it would solve it for me completely if i could use a string as the resource ARN that would switch between my dev environment userpool ARN and my main environment userpool ARN. does anyone know if that is possible using custom-policies.json?

acusti on Mar 15, 2022

I have this problem and it involves a lot of manual work. For fresh backend deployment, do amplify push first, update this file with ARN and do another push. When team members deploy their own backend, they have to modify the custom-policies.json file with their ARN and remember not to check it in and back it up during branch switching, etc. It would really help to have this happen automatically when we allow the lambda function to access other resources.

jayantwalvekar on May 7, 2023