5
votes

I am using the AWS Amplify library with MobileHub.

I have a Cognito User Pool connected, and an API Gateway (which communicates with Lambda functions). I'd like my users to sign before accessing resources, so I've enabled "mandatory sign-in" in MobileHub User Sign-In page, and the Cloud Logic page.

Authentication works fine, but when I send a GET request to my API, I receive this error:

"[WARN] 46:22.756 API - ensure credentials error": "cannot get guest credentials when mandatory signin enabled"

I understand that Amplify generates guest credentials, and has put these in my GET request. Since I've enabled "mandatory signin", this doesn't work.

But why is it use guest credentials? I've signed in -- shouldn't it use those credentials? How do I use the authenticated user's information?

Cheers.

EDIT: Here is the code from the Lambda function:

lambda function:

import { success, failure } from '../lib/response';
import * as dynamoDb from '../lib/dynamodb';

export const main = async (event, context, callback) => {
    const params = {
        TableName: 'chatrooms',
        Key: {
            user_id: 'user-abc', //event.pathParameters.user_id,
            chatroom_id: 'chatroom-abc',
        }
    };

    try {
        const result = await dynamoDb.call('get', params);
        if (result.Item) { 
            return callback(null, success(result.Item, 'Item found'));
        } else {
            return callback(null, failure({ status: false }, 'Item not found.'));
        }
    } catch (err) {
        console.log(err);
        return callback(null, failure({ status: false }), err);
    }
}

And these small helper functions:

response.js:

export const success = (body, message) => buildResponse(200, body, message)
export const failure = (body, message) => buildResponse(500, body, message)

const buildResponse = (statusCode, body, message=null) => ({
    statusCode: statusCode,
    headers: {
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Credentials": true
    },
    body: JSON.stringify({
        ...body,
        message: message
    })
});

dynamodb.js:

import AWS from 'aws-sdk';

AWS.config.update({ region: 'ap-southeast-2' });

export const call = (action, params) => {
    const dynamoDb = new AWS.DynamoDB.DocumentClient();
    return dynamoDb[action](params).promise();
}
4
Can you post some code of the API gateway call?Victor 'Chris' Cabral
I've updated the main post. Some details are hard-coded for debugging. Does AWS require the response to be in a format that I'm not complying to?haz
I would guess that were not authenticated before (even if you thought you were) and when you turned on mandatory authentication you discovered that your API calls were never authenticated. github.com/aws/aws-amplify/blob/master/packages/aws-amplify/src/…Victor 'Chris' Cabral
How can I ensure I authenticate? I run Auth.signIn('username', 'password') and I seem to receive the correct object (No errors or anything). Is there another sign-in method I should be performing?haz
I see. There seems to be some options posted here github.com/aws/aws-amplify/issues/432Victor 'Chris' Cabral

4 Answers

2
votes

I'm following the guide "serverless-stack" and was prompt with the same warning message, I was logging in correctly and logging out correctly and did not understand why the warning message. In my case, in the Amplify.configure I skip to add the identity pool id, and that was the problem, User pools and federated identities are not the same.

(English is not my native language)

1
votes

Have you tried checking why your SignIn request is being rejected/error prone?

Auth.signIn(username, password)
    .then(user => console.log(user))
    .catch(err => console.log(err));

// If MFA is enabled, confirm user signing 
// `user` : Return object from Auth.signIn()
// `code` : Confirmation code  
// `mfaType` : MFA Type e.g. SMS, TOTP.
Auth.confirmSignIn(user, code, mfaType)
    .then(data => console.log(data))
    .catch(err => console.log(err));

You can try this, then it would be easier for you to debug.

0
votes

From the suggestions on the aws-amplify issues tracker, add an anonymous user to your cognito user pool and hard code the password in your app. Seems like there are other options but this is the simplest in my opinion.

0
votes

You have to use your credentials at each request to use AWS Services : (sample code angular)

SignIn :

import Amplify from 'aws-amplify';
import Auth from '@aws-amplify/auth';

 Amplify.configure({
      Auth: {
        region: ****,
        userPoolId: *****,
        userPoolWebClientId: ******,
      }
    });

//sign in

Auth.signIn(email, password)

Request

import Auth from '@aws-amplify/auth';

from(Auth.currentCredentials())
   .pipe(
      map(credentials => {
        const documentClient = new AWS.DynamoDB.DocumentClient({
          apiVersion: '2012-08-10',
          region: *****,
          credentials: Auth.essentialCredentials(credentials)
       });

       return documentClient.query(params).promise()

      }),
      flatMap(data => {
          return data
       })
)