I am not able to get verification codes(sms) and mobile app. i deleted the role. i tried recreating the role in cognito but it doesn't give any option to do so.
Error response while i create new user :
"Role does not have trust relationship allowing cognito to assume the role"
On saving the verification settings on my cognito (with the previous role arn stuck in there) it say "Your roles are still being created"
Error while saving verification changes
I too faced the same issue. Let me share the method in which i solved it, Although not the optimal method, i think, but i hope it helps:
1) I had another cognito userpool, in which i hadn't created the sms role and under that userpool i created the SMS role with same name as the name of the SMS role i deleted(Just to let aws create the roles and policy by itself, and because i am lazy ;-)).
2) Under the newly created SMS Role's trust relationship condition, i substituted the externalID with my main userpool's externalID.
You can get the externalID using aws cli.
aws cognito-idp describe-user-pool --user-pool-id <user-pool-id>
Or you can create SMS service role with the same name and attach SNS write policy with it and create trust relationship with your cognito userpool, to let it assume the role.
Hope it helps. Cheers.
Related
I have following issue with AWS Cognito using AWS SES for sending emails:
I configured Cognito using SES by CDK, but I read in the documentation that the "Service-linked role permissions" is required:
Using Service-Linked Roles for Amazon Cognito
All other AWS documentation about this topic was also no helpful for me.
Now I'm not sure, how I should add this role permission. I have a configured permission boundary, but here I haven't this role.
My question:
Do I need to add this in the Permission Boundary or via CDK using IAM, and if I have to do this with CDK which method?
Thanks in advance!
I found the solution by myself:
The "Service-linked role permissions" has to be configured in SES itself and not in Cognito (or elsewhere).
Therefore go to
AWS SES / Section: Identity Management
Domains or Email Addresses
Click on your entry and expand Identity Policies
Create Policy for:
Service: "email.cognito-idp.amazonaws.com"
Allow Actions: "ses:SendEmail", "ses:SendRawEmail"
I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
Following this article to set up Cognito auth for AWS Elasticsearch.
https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/
Getting an error:
Open Distro for Elasticsearch
Missing Role
No roles available for this user, please contact your system administrator.
Anybody knows why I could get it?
The crucial missing part was the below:
navigate to the Elastisearch domain on your AWS Elasticsearch console page
After this, click on the “Actions” button -> “Modify master user"
Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
click Submit
If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.
Alternatively you can configure the master user role same as Cognito Authenticated role ARN.
I was wondering if someone could tell me what Policy I need to attach to authorize myself for the BrowseNodeLookUp on the Amazon Product Advertisement API. Somehow I can't seem to find any Information on this and for all my request I receive
[Code] => UnauthorizedOperation
[Message] => Your AccessKeyId is not authorized to perform this operation. Please check IAM policies for the Access Key.
So I would very much appreciate a little pointer here
thanks in advance
The Product Advertising API does not support IAM roles. You must use
the root account credentials. (Source)
If you are using an IAM user you must use the root account credentials instead. (So there is no IAM policy for BrowseNodeLookUp - relevant thread on AWS support forums.)
Documentation for IAM state that the Resource-property for AttachUserPolicy and DetacherUserPolicy should be set to the user principal the managed policy will be attached to. While the documentation for iot:AttachPrincipalPolicy and iot:DetachPrincipalPolicy are not as detailed, the error message
AccessDeniedException: User: arn:aws:sts::ACCOUNT_ID:assumed-role/ROLE/CognitoIdentityCredentials is not authorized to perform: iot:AttachPrincipalPolicy on resource: COGNITO_ID
leads me to believe it expects an ARN for Cognito identity or identity pool. However, specifying ARNs shown in Cognito documentation result in the same error. Cognito identity ARNs also fail validation in the policy generator.
What resource should I specify so that iot:AttachPrincipalPolicy and iot:DetachPrincipalPolicy are permitted to attach/detach IoT policies on a Cognito identity?
Using Cognito identities with AWS IoT has two slightly different paths. Cognito identity pools support identities which are either unauthenticated (any agent can get credentials) or authenticated (users tied to a provider like Cognito User Pools, Facebook, OpenID, etc). AWS IoT supports both cases when using Cognito to get credentials.
When using the unauthenticated case, you must attach a policy to the cognito_unauth_role that gets created with your Cognito identity pool. The Identity Access & Management (IAM) console is where you attach a policy to this role. To get started, try attaching the managed policy "AWSIoTDataAccess". Then, your unauthenticated Cognito IDs can get credentials (access key, secret key, session token) which are passed to AWS IoT to establish a connection.
When using the authenticated case, you must attach a policy to the cognito_auth_role that gets created with your Cognito identity pool AND the Cognito ID which is created for each authenticated entity. The AWS IoT API AttachPrincipalPolicy is what you use to attach an AWS IoT policy to the Cognito ID. The format of that API call in the CLI would be like: aws iot attach-principal-policy --policy-name myPolicy --principal us-east-1:abcd1234-5678-1234-abcd1234efgh. The principal in this case is the Cognito ID of the authenticated entity. Only with both policies in place will the credentials returned by Cognito work to make connections to AWS IoT.