Identity pool - does not have identity providers configured, AWS Amplify

Identity pool - does not have identity providers configured, AWS Amplify - amazon-web-services

I am setting up a custom AWS Amplify auth application
Signing up, signing in was working fine until I enabled MFA on a user
So after sign in,
on "SOFTWARE_TOKEN_MFA"
I am redirecting to a modal for user to enter code from authenticator app
const loggedUser = await Auth.confirmSignIn(awsUser, userCode, challenge);
This function throws error of
Identity pool - does not have identity providers configured
I enabled TOTP in the AWS Console

Related

Executing `import amplify auth` for `Cognito User Pool and Identity Pool` and passing on the `Web Client` as well as the `Native client` fails

Executing import amplify auth for Cognito User Pool and Identity Pool and passing on the Web Client as well as the Native client fails with the below Error. Is there something that is missing please let me know. TIA
Cannot import Identity Pool without roles.
Error: Cannot import Identity Pool without roles.
at IdentityPoolService.getIdentityPoolRoles (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/amplify-provider-awscloudformation/src/aws-utils/IdentityPoolService.ts:88:13)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at importServiceWalkthrough (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/#aws-amplify/amplify-category-auth/src/provider-utils/awscloudformation/import/index.ts:322:74)
at Object.importResource (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/#aws-amplify/amplify-category-auth/src/provider-utils/awscloudformation/import/index.ts:45:42)
at Object.executeAmplifyCommand (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/#aws-amplify/amplify-category-auth/src/index.js:421:3)
at executePluginModuleCommand (/usr/local/lib/node_modules/#aws-amplify/cli/src/execution-manager.ts:178:3)
at executeCommand (/usr/local/lib/node_modules/#aws-amplify/cli/src/execution-manager.ts:30:5)
at Object.run (/usr/local/lib/node_modules/#aws-amplify/cli/src/index.ts:205:5)

Ran into this issue as well.
The Amplify Auth import docs mention the following:
Your Identity Pool needs:
an Authenticated Role with a trust relationship to your Identity Pool
an optional Unauthenticated Role if you want to use any guest user access for your Amplify categories. (Example: Guest access for your S3 buckets or REST API endpoints)
However, I:
Using an identity pool with an "authenticated" role with proper trust relationship intact (role, policy, identity pool role attachment).
Made sure the IAM role I was using to deploy this change had proper permissions to list and read identity pools & roles.
Still no help.
I then enabled "Allow unauthenticated identities" (although I did not want this) and things worked smoothly. This is because this setting will automatically generate two authenticated and unauthenticated roles and attach them for you.
However, as I did not want unauthenticated identity access, I disabled that again. Based off that setting working, I wondered if that Unauthenticated Role was truly optional, well it turns out it's not. At least not in the latest Amplify system. Someone must have changed this behaviour without updating the docs.
Solution:
Your Identity Pool needs:
an Authenticated Role with a trust relationship to your Identity Pool
an Unauthenticated Role with a trust relationship to your Identity Pool
To check if your identity pool is set up properly run this function in the AWS CLI:
aws cognito-identity get-identity-pool-roles --identity-pool-id "your identity pool id here"
You should get something like this:
{
"IdentityPoolId": "your identity pool id here",
"Roles": {
"authenticated": "your authenticated role ARN here"
"unauthenticated": "your authenticated role ARN here"
}
}

Cognito user pool federated user unable to intiate-auth

Does AWS CLI cognito-idp initiate-auth support the USER_PASSWORD_AUTH flow for federated users from an external IdP (SAML provider)?
When I try to run initiate-auth, I am getting the below errors.
aws cognito-idp initiate-auth --region us-east-1 --auth-flow USER_PASSWORD_AUTH --client-id <my_client_id> --auth-parameters USERNAME=<username>,PASSWORD=<password>
An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: User is not authorized to get auth details.
As a debugging step, I created a local user in the userpool, and using that I am able to get an AuthenticationResult back.
Also, the username and password work with a browser flow. (It redirects to my app url with the code) when triggered from the Launch Hosted UI link.
Am I missing something in the configuration?

Most likely, USER_PASSWORD_AUTH is disabled for federated users. The federated users have Confirmation status set to External Provider and these users can only login using the 3rd party identity provider.
The problem may be solved using Account linking.
Documentation: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html
I want to know if initiate-auth is supported for federated users but for CUSTOM_AUTHENTICATION. My research so far shows that this is not possible.

Grant your originating account the Service Account Token Creator role on the target service account

I used the below command to Authenticate in MAC OS terminal
gcloud auth login
It redirects to the google login page and show the authentication process successful.
While using the command
gsutil -i fetebird-storage#fetebird.iam.gserviceaccount.com ls
Getting an exception as
AccessDeniedException: Service account impersonation failed. Please go to the Google Cloud Platform Console (https://cloud.google.com/console), select IAM & admin, then Service Accounts, and grant your originating account the Service Account Token Creator role on the target service account.
However, on the cloud I do have given the permission as shown below
Auth List

The current logged in user (fetebird#gmail.com) must have the Service Account Access Token Creator role.
You might think the owner role would be sufficient, however, when I tested this myself you need to explicitly add it to the account that is impersonating the service account.
https://cloud.google.com/iam/docs/service-accounts#token-creator-role

Using AWS Cognito InitiateAuth action for app client with Azure AD SAML Identity Provider

We have a User Pool set up in AWS Cognito for which we have also set up Azure AD as a SAML Identity provider for one of the app clients
The authentication flow works as expected via the Hosted UI of this app client, with redirection to the IdP for authentication and generation of token following successful authentication against the IdP and redirection back to Cognito.
For app clients that are not using an Identity Provider we are able to use the InitiateAuth action (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) with an AuthFlow of USER_PASSWORD_AUTH to allow users to authenticate and obtain tokens.
However, when we try and use the InitiateAuth action with the app client that is configured with the IdP, and use the the username automatically created by Cognito in the user pool (which by default is <IdentityProviderName>_<UsernameOfUserOnIdP> e.g. AzureAD_matthew#domain.com) and the same USER_PASSWORD_AUTH as AuthFlow we get a NotAuthorizedException. So the following request:
{
"AuthParameters": {
"USERNAME": "AzureAD_matthew#domain.com",
"PASSWORD": "XXXXXX"
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "XXXXXXXXX"
}
is giving as this response:
{
"__type": "NotAuthorizedException",
"message": "Incorrect username or password."
}
Is it possible to use the InitiateAuth action for app clients that are linked to a SAML identity provider?
Thanks

Accessing AWS AppSync without using API Keys in React Native

In my React Native App I am using API Keys with AWS AppSync and I want to move to using Cognito or IAM but with no user sign in.
My React Native app that just uses AWS Appsync to read to and write from DyanmoDB.
I initially set up the app to use API keys as it was easier to understand and I'm now attempting to transition to using AWS Cognito or IAM.
To do this in my AWS Console I changed the "Appsync->MyAppAPI->Settings->Default authorisation mode"/"API-level" from "API key" to "AWS Identity and Access Management (IAM)".
I then created an Identity Pool and allowed "Enable access to unauthenticated identities".
My aws-exports file is
// WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten.
const awsmobile = {
"aws_appsync_graphqlEndpoint": "https://xxxxx.appsync-api.eu-west-x.amazonaws.com/graphql",
"aws_appsync_region": "eu-west-X",
"aws_appsync_authenticationType": "AWS_IAM",
"aws_appsync_apiKey": "xxx-xxxxxxxxxxxxxxxxxxxxxxxxxx",
};
export default awsmobile;
In my App.js file I have attempted to get the identityPoolId to be used and I have created this:
Amplify.configure({
url: config.aws_appsync_graphqlEndpoint,
region: config.aws_appsync_region,
auth: {
type: config.aws_appsync_authenticationType,
apiKey: config.aws_appsync_apiKey,
region: 'eu-west-x',
identityPoolId: 'eu-west-x:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
}
})
When I use the app to read from DynamoDB I get this error
[WARN] 04:51.835 API - ensure credentials error, No Cognito Federated Identity pool provided
I then went back to the Cognito Manage Identity Pool page and changed my identity pool to use Cognito as an authentication source and provided a User Pool ID and an App client id. But I still get the same error.
I am fundamentally missunderstanding something, could you offer any insight?

We Keep Coding

c++ django amazon-web-services regex python-2.7 google-cloud-platform list unit-testing opengl ember.js