amplify-js: User doesn't have permissions even though they are assigned to a group with permissions

So I have an admin group for my cognito pool with permissions granted to cognito-idp. When I log into this user, I can’t access the resources

Code:

const currentCredentials = yield Auth.currentCredentials();
const credentials = yield Auth.essentialCredentials(currentCredentials);

AWS.config.credentials = new AWS.Credentials(credentials.accessKeyId, credentials.secretAccessKey, credentials.sessionToken);

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const response = yield cognitoidentityserviceprovider.listUsers({ UserPoolId: awsExports.aws_user_pools_id }).promise();

console.log(response);`

Error: User: arn:aws:sts::<account_id>:assumed-role/<app_pool_name>/CognitoIdentityCredentials is not authorized to perform: cognito-idp:ListUsers on resource: arn:aws:cognito-idp:us-east-1:<account_id>:userpool/<pool_id>

Am I getting the wrong credentials? Any help or tips would be greatly appreciated

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 6
  • Comments: 22 (6 by maintainers)

Most upvoted comments

@Prefinem @mlabieniec Gents, I think this may be relevant to this discussion.

Check the role assigned to the user group has a trust relationship. It needs this so it can assume the role of the federated identity provider.

You can build an appropriate role for the User pool groups role by doing this:

  • Open AWS console
  • Get to IAM section
  • Pick roles
  • Pick web identity
  • Choose Amazon Cognito
  • Paste in your Identity pool id (the federated one)
  • Click next
  • Now add/create policies you need for the user group, like S3 access, or whatever.
  • Give the role a name and save it.
  • Go to your User Pool group, edit it and assign the role just created.
  • Open the Federated Identity -> Authentication providers section->Authenticated role selection
  • Set the Authenticated role selection dropbox to Choose role from token
  • Optionally set Role resolution to DENY

References:

Fine grained auth

Role based access control

+23
hutch120 on Oct 26, 2018

Hi @stripathix Sry, I should have been clearer with the setting location, I’ve updated my comment. The required setting is further down the page (from your screenshot) in Federated Identity->Authentication providers->Authenticated role selection.

Once you set Choose role from token, then the role used will be the one from your user pool group instead of the federated one here which means you can do fine grained user management with userpool groups.

+6
hutch120 on Oct 26, 2018

@sbussard Consider asking this follow up question on SO as this issue actually has nothing to do with Amplify-JS. I created an answer in May 2018 that is the top answer and got some positive feedback. Maybe something has changed in Cognito, others there might be having similar issues.

<rant> IMO half the problems related to AWS SDK and SDK wrappers like this library would be non-issues if it was easier to configure permissions in AWS. </rant>

+3
hutch120 on Oct 21, 2019

while creation of cloudformation stack - I got error like

User:arn:aws::12345678:user/xyz is not authorized to perform:
cognito-idp:CreateUserPool on resource:*(Service:AWSCognitoIdentityProviderService;
Status Code: 400; Error Code: AccessDeniedException;Request ID: xxxxx)

workaround :

  • went on to the Stack which is in Rollback state -> checked events and could see , (creation-failed) some Roles I don’t have access ,
  • So , I checked IAM policy assigned to me - I was not having the access.
  • I created a new policy and assigned to myself as an Inline Policy by Importing it from AWS.

aws-cognito-idp

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Cognito-IDP",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "cognito-idp:*"
            ],
            "Resource": "*"
        }
    ]
}

note: you can restrict the access on resource and cognito-idp user.

with this - I am successfully able to create and deploy cloudformation Stack for the module.

+2
DheerajArora5 on Dec 26, 2019

has anyone been able to resolve this? my user is in an admin group with a special arn, but when I call the credentials they are still using the default federated Auth_Role arn

+2
zyzski on Oct 8, 2018

@Prefinem it looks like your IAM role does not have permission for the cognito-idp:ListUsers method. I’m assuming you configured this manually (the backend), so did you add to the IAM policy this permission i.e something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "cognito-idp:ListUsers",
            "Resource": "arn:aws:cognito-idp:us-east-1:<account_id>:userpool/<pool_id>"
        }
    ]
}

This would need to be attached to the role you are trying to assume there. If you didn’t create these resources manually and used Mobile Hub, then goto the IAM console -> Roles and search for your Mobile Hub project, click on the role and attach a policy that contains something like the above.

+2
mlabieniec on Jan 12, 2018

@jakejcheng Sry to hear of your troubles. I still have an old project that uses this library, but I haven’t updated Amplify or changed Cognito configuration in years, so maybe the issue is due to some update in Amplify or change in the default Cognito setup.

For new projects I now use serverless.com for configuring AWS and for Auth/Identity I’ve been using PassportJS JWT strategy for small projects with AWS API Gateway/Lambda/DynamoDB, and have looked into Auth0 for larger projects (but never had a need to use it yet).

Sry I couldn’t help with your specific issue.

+1
hutch120 on Feb 7, 2022
Read more comments on GitHub
← amplify-js: Upgrading Amplify packages stops remembering Auth session in React Native
amplify-js: User Groups Not being updated →