2

In an identity pool in AWS Cognito I am trying to make users assume an IAM Role based on the group that they belong to in an user pool. Whenever I select Edit Identity Pool > Authentication Providers > "Choose Role From Token" and then click save changes, I get a banner at the top of my screen saying changes saved successfully, but if I go back and look at the settings they have returned to "Use Default Role" instead of "Choose Role From Token". Is this a bug, do I have something configured wrong where that is an invalid option, or another potential issue? Here is an image of what settings I select and want to take effect Here is the state that it currently is and what it returns to after I press save changes

Improve this question

3 Answers 3

Reset to default
1

AWS CLI Command for Setting Identity Pool Role with Option "Choose Role From Token"

aws cognito-identity set-identity-pool-roles --identity-pool-id "IDENTITY POOL ID" --roles authenticated="Auth IAM Role ARN",unauthenticated="UnAuth IAM Role ARN" --role-mappings cognito-idp.<<AWS REGION>>.amazonaws.com/<<USER POOL ID>>:<< APP CLIENT ID>>="{Type="Token", AmbiguousRoleResolution="Deny"}"
Improve this answer
0

I am confident that this must be a bug with the AWS web console and not a fault of my own. After trouble shooting as much as I could, I set up the AWS CLI and ran the necessary commands from there and it worked on the first try. After revisiting the page in the AWS web console the changes were reflected properly and my authentication now works properly.

Improve this answer
2
  • 1
    Hi, can you please share which command in CLI you used for "Choose Role From Token" ? I cannot find it in CLI "update-identity-pool" subcommand. Thanks!
    – strelok2010
    Commented Nov 17, 2020 at 6:20
  • 2
    Unfortunately, I did not save my exact command to my shell history, but here is the documentation that I used to create the command. docs.aws.amazon.com/cli/latest/reference/cognito-identity/…
    – Riley M.
    Commented Nov 18, 2020 at 5:13
0

I had same problem with UI, thanks for this post, I tried the CLI.

identity_roles.json

    {
"IdentityPoolId": "us-east-1:pool_id",
"Roles": {
    "unauthenticated": "arn:aws:iam::account_id:role/UnAuthDefaultRole",
    "authenticated": "arn:aws:iam::account_id:role/AuthDefaultRole"
},
"RoleMappings": {
    "cognito-idp.us-east-1.amazonaws.com/user-pool-id:app-id": {
        "Type": "Token",
        "AmbiguousRoleResolution": "AuthenticatedRole"
    }
}

}

aws cognito-identity get-identity-pool-roles --identity-pool-id us-east-1:identity_pool_id

aws cognito-identity set-identity-pool-roles --cli-input-json file://pwd/identity_roles.json

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.