AWS Amplify SNSRole error when trying to do an amplify push

0
votes

My company has a Amplify project with 2 different environments (prod, dev) with Cognito and some lambdas and apis. Everything was working fine until I tried to do an amplify pushcommand to update one lambda function. Here is the error from CloudFormation on AWS dashboard:

Invalid principal in policy: "SERVICE":"cognito-.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 169462d5-58fb-40af-9c2d-69178442ecd6)

And here's the error from the amplify push output:

UPDATE_FAILED SNSRole
AWS::IAM::Role Thu Jan 30 2020 13:46:08 GMT-0200 (Brasilia Summer Time) Invalid principal in policy: "SERVICE":"cognito-.amazonaws.com" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 56f492a2-c40e-4827-8c53-07cdf44bc780)

As you can see, theres is an error with the cloud formation file of the Cognito, but there's the current SNSRole configuration:

  # BEGIN SNS ROLE RESOURCE
  SNSRole: 
  # Created to allow the UserPool SMS Config to publish via the Simple Notification Service during MFA Process
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref roleName
      AssumeRolePolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - Sid: ""
            Effect: "Allow"
            Principal: 
              Service: "cognito-idp.amazonaws.com"
            Action: 
              - "sts:AssumeRole"
            Condition: 
              StringEquals:
                sts:ExternalId: !Ref roleExternalId
      Policies: 
        - 
          PolicyName: !Ref policyName
          PolicyDocument: 
            Version: "2012-10-17"
            Statement: 
              - 
                Effect: "Allow"
                Action: 
                  - "sns:Publish"
                Resource: "*"
1
amazon-web-servicesaws-lambdaamazon-cloudformationaws-amplify
did you run 'amplify auth update' or manually edit the IAM role by any chance ? You can use the command 'amplify env pull --restore' to restore flag to overwrite your local backend configs with that in the cloud. Otherwise if you still facing this issue, feel free to contact Amplify team here :github.com/aws-amplify/amplify-cli/issuessyumaK
There is something about the error that looks off to me. It says Invalid principal in policy: "SERVICE":"cognito-.amazonaws.com", but it should be cognito-idp.amazonaws.com. I'm not all that familiar with Amplify, so I don't know where that is coming from.Jason Wadsworth
You are both right. Doing a 'pull --restore' on a fresh amplify-cli installation works, but if it isnt a fresh installation, I think somehow, the 'amplify-cli' is caching the wrong file with the "cognito-.amazonaws.com" instead of the new, right one, "cognito-idp.amazonaws.com"Vinicius Fontoura

1 Answers

1
votes

Did you check the content of the S3 bucket that manages your environment? We had a similar problem, and we discovered that although our local SNSRole Configuration was right, the CloudFormation template file of the S3 bucket was old and still had the 'cognito-.amazon...' issue.

Try to change correct this locally, then push to the cloud, and it'll overwrite the remote CloudFormation template file with the correct one.

Hopefully it works out!