AWS Cognito Invalid identity pool configuration

amazon-web-services amazon-cognito amazon-javascript-sdk

I am using the AWS Javascript API and trying to get the assigned cognito id:

AWS.config.credentials.get(function(err) {
    if (!err) {
        console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);
    }
});

Why does this result in a 400 error with the message below?

{"__type":"InvalidIdentityPoolConfigurationException","message":"Invalid identity pool configuration. Check assigned IAM roles for this pool."}

I have IAM roles configured for authenticated and non-authenticated users.

{
"Version": "2012-10-17",
"Statement": [{
    "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*"
    ],
    "Effect": "Allow",
    "Resource": [
        "*"
    ]
}]
}

Solution 1:

The most common reason for this error is your roles aren't set up to trust your identity pool. You should confirm that the identity pool id listed in your trust relationships matches the identity pool you are using.

More info on trust relationships in Amazon Cognito can be found in our developer guide.

Solution 2:

After some digging I realized that you must add the RoleArn and AccountId to your credentials.

Even though most of the documentation out there mention this as being enough:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-east-1:xxxxx-a87e-46ed-9519-xxxxxxx',
});

This was not enough.

I had to do this:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-east-1:xxxxx-a87e-46ed-9519-xxxxx',
    RoleArn: 'arn:aws:iam::xxxxx:role/Cognito_xxxxUsersUnauth_Role',
    AccountId: 'xxxxxxxxx', // your AWS account ID
});

You must mention the ARN of your Role for your identity pool.

The only doc that mention it right is this one.

The wrong ones:

  • http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-configuring.html

  • https://mobile.awsblog.com/post/TxBVEDL5Z8JKAC/Use-Amazon-Cognito-in-your-website-for-simple-AWS-authentication

  • https://blogs.aws.amazon.com/javascript/post/TxTUNTVES4AL15/Authentication-in-the-Browser-with-Amazon-Cognito-and-Public-Identity-Providers

Maybe I'm missing something but this is certainly confusing.

Solution 3:

Check the "Trust Relationship" section of the role that is assigned to your Identity Pool, authentication users. Make sure you have policies defining access to your Cognito pool.

The easiest way to get the requirement policy statements is,

  1. Edit the pool
  2. Create new role for identity pool
  3. In IAM edit this role to copy the policy statements
  4. Add these Trust Relationships to your required existing role

Related

Google Drive API error - "message": "Shared drive not found: xyz"
Assigning multiple text flags to an observation
Execution failed: 'app:compileDebugJavaWithJavac FAILED' -ReactNative
ROS2 C++ - How to make a subscriber subscribe to two topics synchronously
Microsoft Edge Translation Tool
Scala covariant doc example allows apples and oranges
Python String Split with Unpacking [duplicate]
Why isn't the BXEQ instruction in the ARM documentation?
LaTeX VERY compact itemize
Why use Mongrel2?
how does http proxy work?
Prepend std::string