amplify-js: "Invalid identity pool configuration. Check assigned IAM roles for this pool."

Describe the bug It appears the AWS SDK is not being configured correctly.

I was adding storage to my app but I kept getting 403 errors every time I tried to upload. After some digging I tried calling Auth.currentUserCredentials, which returns the following error:

InvalidIdentityPoolConfigurationException: Invalid identity pool configuration. Check assigned IAM roles for this pool.

In the console I have checked the IAM roles and user pool and they are configured correctly, so I assume the issue lies in how the config is being handled.

To Reproduce Steps to reproduce the behavior:

  1. amplify init
  2. amplify add auth
  3. amplify add storage (allow authenticated users to read, create and update. Unauthenticated users allowed to read only)
  4. Create a user
  5. Log in as user
  6. Attempt to upload an image with Storage.put
  7. See 403 error
  8. Call Auth.currentUserCredentials
  9. See InvalidIdentityPoolConfigurationException error

Expected behavior I should be able to authenticate and upload files using the AWS SDK as documented in the official documentation: https://docs.amplify.aws/lib/storage/upload/q/platform/js

Code Snippet Inside any handler:

onPress={() => Storage.put('user/avatar', blob)}

Inside any component:

  React.useEffect(() => {
    Auth.currentUserCredentials().then(console.log);
  }, []);

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (5 by maintainers)

Most upvoted comments

Thanks @Amplifiyer

I can confirm it’s an issue with how Amplify.configure handles the aws-exports.js file. Hopefully we can get this issue resolved before long (I’m happy to help), will also save other people time if this is mentioned in the docs while a fix is being worked on.

I was able to workaround the issue by manually applying the properties from aws-exports.js to Amplify.configure:

Amplify.configure({
  Auth: {
    identityPoolId: aws_exports['aws_cognito_identity_pool_id'], //REQUIRED - Amazon Cognito Identity Pool ID
    region: aws_exports['aws_project_region'], // REQUIRED - Amazon Cognito Region
    userPoolId: aws_exports['aws_user_pools_id'], //OPTIONAL - Amazon Cognito User Pool ID
    userPoolWebClientId: aws_exports['aws_user_pools_web_client_id'] //OPTIONAL - Amazon Cognito Web Client ID
  },
  Storage: {
    AWSS3: {
      bucket: aws_exports['aws_user_files_s3_bucket'], //REQUIRED -  Amazon S3 bucket
      region: aws_exports['aws_user_files_s3_bucket_region'] //OPTIONAL -  Amazon service region
    }
  }
});
+2
Jahans3 on Jun 29, 2020

I ran into this error but it wasn’t to do with the authRole as listed above. Mine was because I had manually created a group on Cognito and then was using that group and its associated role with some users. I wanted to document what I did in case anyone gets to this point and isn’t able to solve the problem.

TL;DR: Don’t manually create groups and roles if you’re going to be using them for Amplify.

What I did to find out what the role that was causing the issue was to take the access_token that gets returned on the POST request to AWS. You can take this token and plug it into https://jwt.io/ which will decode it.

My issue was that any account where I was getting the above error included the following attributes in that JWT

"cognito:roles": [
    "arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*"
  ],
"cognito:preferred_role": "arn:aws:iam::*ACCOUNT_ID*:role/*THE_ROLE*",

If you are getting this issue, find these roles and verify that they have the conditions attached to them from @timoteialbu’s response: "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-west-2:<COGNITO_IDENTITY_POOL_ID>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } }

My solution was to just manually delete the group I’d created along with the role associated with it and then recreate it via the Amplify CLI and then just move all the users who were in the original group into the new one. This way Amplify maintains it when it changes.

+1
danibrear on Nov 2, 2021

I found a way to solve my issue regarding the InvalidIdentityPoolConfigurationException: Invalid identity pool configuration. Check assigned IAM roles for this pool. error.

The solution was to look up the authRole that amplify-cli creates and add trust relationships. Here is what I edited it to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-west-2:<COGNITO_IDENTITY_POOL_ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

Since this was working before June 2020 (which was the last time we successfully created a new env and had it working with no extra changes like this), what has changed since? I looked through the changelog but could not find anything.

Are we supposed to add trust relationships ourselves?

+1
timoteialbu on Oct 22, 2020

I just upgraded to the latest version of these packages:

"aws-amplify": "3.3.4"
"aws-amplify-react": "4.2.8"

and the issue persists.

+1
timoteialbu on Oct 22, 2020

I have the same issue and changing the export file does not solve it.

+1
lisandrolan on Jul 23, 2020
Read more comments on GitHub
← amplify-js: Invalid challenge code of sendCustomChallengeAnswer results in session not longer valid
amplify-js: Invalid Refresh Token. →