cognito-identity-pool: Can't attach IdentityPoolRoleAttachment even if not present #23449
Comments
wz2b
added
bug
|
same issue here |
|
I though there was some issue with the existing stack, I went and created a new one and the same issue happened |
|
Error log Full error log |
|
Yep, same here. I checked a few other things: so without knowing much more than that, it looks like it's the CDK itself that's throwing the error, not some underlying AWS API issue. My workaround for now is this:
|
Ahh okay, I was wrong. What you're showing is that it is actually something in CloudFormation, not the CDK. I'm not sure how to work around this - you'd need some kind of forward reference. Is that possible? |
|
cdk code /**
* CloudFormation parameters
*/
const adminEmail = new CfnParameter(this, "adminEmail", {
type: "String",
description: "Email address for the admin user",
minLength: 5,
});
const pool = new UserPool(this, "UserPool", {
userInvitation: {
emailSubject:
"Subject of the email",
emailBody: readFileSync("lib/data/email-template.html").toString(),
},
customAttributes: { roles: new StringAttribute({ mutable: true }) },
passwordPolicy: {
minLength: 8,
requireLowercase: true,
requireUppercase: true,
requireDigits: true,
requireSymbols: true,
tempPasswordValidity: Duration.days(3),
},
advancedSecurityMode: AdvancedSecurityMode.ENFORCED,
});
const client = pool.addClient("Frontend", {
preventUserExistenceErrors: true,
});
const identityPool = this.buildIdentityPool(pool, client, props.authenticationRequired);
const stack = Stack.of(this);
const datasetsBucketArn = `arn:${stack.partition}:s3:::${props.datasetsBucketName}`;
const contentBucketArn = `arn:${stack.partition}:s3:::${props.contentBucketName}`;
const adminRole = this.buildAdminRole(identityPool, datasetsBucketArn, contentBucketArn);
const editorRole = this.buildEditorRole(identityPool, datasetsBucketArn, contentBucketArn);
const publicRole = this.buildPublicRole(
identityPool,
props.authenticationRequired,
datasetsBucketArn,
contentBucketArn,
);
const noAccessRole = this.buildNoAccessRole(identityPool);
const providerUrl = `cognito-idp.${stack.region}.amazonaws.com/${pool.userPoolId}:${client.userPoolClientId}`;
new IdentityPoolRoleAttachment(this, "AuthRoleAttachment", {
identityPool: identityPool,
unauthenticatedRole: props.authenticationRequired ? noAccessRole : publicRole,
roleMappings: [
{
mappingKey: "cognito",
useToken: true,
providerUrl: IdentityPoolProviderUrl.userPool(providerUrl),
rules: [
{
claim: "custom:roles",
matchType: RoleMappingMatchType.CONTAINS,
claimValue: "Admin",
mappedRole: adminRole,
},
{
claim: "custom:roles",
matchType: RoleMappingMatchType.CONTAINS,
claimValue: "Editor",
mappedRole: editorRole,
},
{
claim: "custom:roles",
matchType: RoleMappingMatchType.CONTAINS,
claimValue: "Public",
mappedRole: publicRole,
},
],
},
],
});
const adminUser = new CfnUserPoolUser(this, "AdminUser", {
userPoolId: pool.userPoolId,
username: adminEmail.valueAsString,
userAttributes: [
{
name: "email",
value: adminEmail.valueAsString,
},
{
name: "custom:roles",
value: JSON.stringify(["Admin"]),
},
],
});
/**
* Outputs
*/
this.userPoolArn = pool.userPoolArn;
this.appClientId = client.userPoolClientId;
this.userPoolId = pool.userPoolId;
this.adminEmail = adminEmail.valueAsString;
this.identityPoolId = identityPool.identityPoolId;
new CfnOutput(this, "UserPoolArn", { value: this.userPoolArn });
new CfnOutput(this, "AppClientId", { value: this.appClientId });
new CfnOutput(this, "UserPoolId", { value: this.userPoolId });
new CfnOutput(this, "AdminUsername", { value: adminUser.ref });
new CfnOutput(this, "IdentityPoolId", {
value: identityPool.identityPoolId,
});and the identity pool creation like const identityPool = new IdentityPool(this, "IdentityPool", {
allowUnauthenticatedIdentities: !authenticationRequired,
authenticationProviders: {
userPools: [new UserPoolAuthenticationProvider({ userPool, userPoolClient })],
},
});
return identityPool;roles like const adminRole = this.buildIdentityPoolRole("CognitoAdminRole", true, identityPool);
adminRole.addToPolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["s3:GetObject", "s3:PutObject"],
resources: [
...
],
}),
); |
|
the code above works fine for default authenticated and unauthenticated roles, but when I introduce the roleMapping the stack starts failing |
|
Running into precisely the same issue - I want to create a role that is constrained to that pool so need to create the role after the pool has been created. Getting the same error trying to add the role mappings. |
|
My workaround for this was to create an AwsCustomResource that called PutRolePolicy which does an add or replace. In my case I implemented onCreate, onUpdate, and onDelete. I think these custom resources must be created in the order they're declared in the stack but I'm not 100% sure of that - it might take some playing around to figure that out. Thanks @mabreuortega for providing sample code and @revmischa for confirming that I'm not the only one who sees the issue. Unfortunately I'm not close enough to the internals of the CDK to be of much use proposing a solution, except to note that CreateIdentityPool doesn't require you to set the roles (you do that later). Personally I feel like if someone creates an identity pool and doesn't attach auth/unauth roles then it shouldn't use default roles. That might break backward compatibility but I think it's the right thing to do - I don't like the idea of default roles here, I think users should have to consider their own roles. |
|
Thanks for reporting this issue, and for the discussion 🙂 The way CDK currently handles this is that an aws-cdk/packages/@aws-cdk/aws-cognito-identitypool/lib/identitypool.ts Lines 432 to 439 in 9b2573b The roles are created in this way: aws-cdk/packages/@aws-cdk/aws-cognito-identitypool/lib/identitypool.ts Lines 480 to 499 in 9b2573b Before I head into possible solutions, I'd like to first understand what exactly about the current role generation would cause someone to want to create their own roles instead. Does anyone have some insight on this? As for solutions, there are a couple different directions we could head to address the issues you are encountering, depending on the exact problems with the current role creation are. Regardless of what we do however, we should clarify in the docs that we are creating an
Depending on the clarification of what exactly the issue with the current role creation is, we can choose a direction to head in. I'm also open to alternate solutions if anyone has any suggestions |
peterwoodworth
added
p2
effort/small
|
In my case, we have multiple roles at the application levels (unauthenticated, public, editor, admin). I would like to map a role for each one that only have access to what they need to do in our s3 bucket (read, put in specific paths). We do have a custom cognito claim (custom:roles = "" | "Public" | "Editor" | "Admin") and if possible I would like to assign a role for each of those values |
|
Yes I as well want to grant different permissions to users depending on what cognito group they belong to. I assume that must be a somewhat common use case. |
Groups are a little different. You specify groups and their associated roles as attributes of the group in the userpool. What we're talking about here is the default roles for authenticated and unauthenticated users. Typically, what you'd do is you'd have groups defined - for example 'admins' or 'superusers' - then the 'default' authorized user role (the one we're talking about here) would have a default set of permissions that gets applied if you're not a member of a group. Use of the unauthenticated role is probably a little less common - it's typically a "guest" role but at least in my case I generally just make resources that would use that public. I'm sure there's use cases for the unauthenticated role that I'm not familiar with. But to answer @peterwoodworth's question, I think the most common use case is to assign base permissions if a user doesn't have a higher level set of permissions based on group. Implementation For security reasons I think I'd prefer option 2 - cdk doesn't generate default roles unless you specify something like I don't know how option 3 would work. The whole problem here is the circular reference that's required to make sure this role can only be assumed by the identity pool you're trying to create. I'm going to tailor this role for my own needs - maybe add IoT Core permissions, DynamoDB permissions, really anything. I want to be able to lock the trust policy not just to any identity pool but to this identity pool. That's really what started this thread. |
I want my users to use the default authenticated role, but to grant them additional privileges if in certain groups. I don't need the unauthenticated role at the moment for my use case but it's not an issue if it exists. The issue that I have is with trying to add role mappings. Something along the lines of: identityPool.addRoleMappings(
{
// map admin users to admin role
mappingKey: 'cognito', // internal dumb CDK thing if you want to use a CDK token as a key
providerUrl: IdentityPoolProviderUrl.userPool(`${userPoolProviderId}:${webClient.userPoolClientId}`), // allowed for clients using the web client
resolveAmbiguousRoles: true, // does something
rules: [
// JWT claim -> IAM role mappings
{
// if group matches admin
claim: 'cognito:groups',
matchType: RoleMappingMatchType.CONTAINS,
claimValue: ADMIN_ROLE,
// use this role
mappedRole: adminRole,
},
],
}
);Trying to interpret how to apply what's mentioned in the docs here in CDK I get the same error mentioned above: I believe because it's a key in a mapping which has been already defined when the default auth/unauth roles are created automatically. There doesn't seem to be a way to add or replace the default role mappings, even if I pass in |
|
I think that all this role generation should be handled by the developer and not hidden inside the framework but anyway if we go that route this needs to be mentioned in the README somewhere. |
I agree that it should all be handled by the developer. I'm going to go a step further and say it should be a requirement that it be handled by the developer. A README or documentation can provide the defaults as an example. If we DO want to keep default roles, there should be a way to attach your own policies to them, inline or otherwise. But I think it's simpler to just say "create your own roles, then your identity pool referencing those roles." |
|
I tried to split the stack in AUTH vs AUTHZ trying to create the roles and the mapping later but there are other failures there too. The method to initialized a pool reference don't work when the identityPoolId is a token identityPool: IdentityPool.fromIdentityPoolId(
this,
"IdentityPool",
props.identityPoolId,
),this throws an error in this line /Volumes/workplace/performance-dashboard-on-aws/cdk/node_modules/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts:334
if (!(idParts.length === 2)) throw new Error('Invalid Identity Pool Id: Identity Pool Ids must follow the format <region>:<id>');
^
Error: Invalid Identity Pool Id: Identity Pool Ids must follow the format <region>:<id>
at Function.fromIdentityPoolArn (/Volumes/workplace/performance-dashboard-on-aws/cdk/node_modules/@aws-cdk/aws-cognito-identitypool-alpha/lib/identitypool.ts:334:40)
at new AuthorizationStack (/Volumes/workplace/performance-dashboard-on-aws/cdk/lib/authz-stack.ts:42:43)
at Object.<anonymous> (/Volumes/workplace/performance-dashboard-on-aws/cdk/bin/main.ts:39:15)
at Module._compile (node:internal/modules/cjs/loader:1155:14)
at Module.m._compile (/Volumes/workplace/performance-dashboard-on-aws/cdk/node_modules/ts-node/src/index.ts:1618:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1209:10)
at Object.require.extensions.<computed> [as .ts] (/Volumes/workplace/performance-dashboard-on-aws/cdk/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1033:32)
at Function.Module._load (node:internal/modules/cjs/loader:868:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12) |
|
Having this issue too |
|
Ran into this as well. I cannot create the roles without knowing the identityPoolId for the principal, so I have to do the role mapping after the identity pool is created |
|
I moved in the meantime to the use CfnIdentityPoolRoleAttachment and creating the IdentityPool in 2 different stacks: |
TheRealAmazonKendra
added
the
in-progress
|
I've found that the issue seems to be stemming from the way the service API is creating the ID for the |
Describe the bug
If you create an identity pool like this, without specifying an authenticated and unauthenticated role, it generates default roles rather than just leaving them blank.
Then, later, when you try to attach your own roles, like this:
it fails with this error:
Its beef seems to be that even though I created the identity pool without roles attached, it created default ones on its own. Then later when I go to 'attach' my own, it won't let me because it thinks there is already an attachment.
Expected Behavior
I expected that when I create an identity pool with no roles, it would not generate default roles.
Current Behavior
Testing this with only this code and a brand new stack:
it created default IAM roles for authenticated and unauthenticated users. This caused a conflict when I then tried to create my own IdentityPoolRoleAttachment, because it says there was already an attachment.
Reproduction Steps
Possible Solution
I think the way to fix this is that if you create an identity pool without specifying roles it actually leaves them empty rather than generating default roles. This document tells me this should be possible as the attachment is something completely separate.
Why this is important is that I want to add constraints to my roles that only allow those role to be assumed by this specific identity pool. To do that, I need a reference to the identity pool. So for this to work you have to do things in this order:
Additional Information/Context
My versions of the pieces I am using from packages.json are:
CDK CLI Version
2.56.0 (build 1485f48)
Framework Version
2.56.0-alpha.0
Node.js Version
v16.18.0
OS
Windows 10
Language
Typescript
Language Version
4.9.3
Other information
The text was updated successfully, but these errors were encountered: