AWS Cognito Invalid identity pool configuration

Question

I am using the AWS Javascript API and trying to get the assigned cognito id:

AWS.config.credentials.get(function(err) {
    if (!err) {
        console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);
    }
});

Why does this result in a 400 error with the message below?

{"__type":"InvalidIdentityPoolConfigurationException","message":"Invalid identity pool configuration. Check assigned IAM roles for this pool."}

I have IAM roles configured for authenticated and non-authenticated users.

{
"Version": "2012-10-17",
"Statement": [{
    "Action": [
        "mobileanalytics:PutEvents",
        "cognito-sync:*"
    ],
    "Effect": "Allow",
    "Resource": [
        "*"
    ]
}]
}

score 46 · Accepted Answer · edited Sep 05 '20 at 14:48

46

The most common reason for this error is your roles aren't set up to trust your identity pool. You should confirm that the identity pool id listed in your trust relationships matches the identity pool you are using.

More info on trust relationships in Amazon Cognito can be found in our developer guide.

edited Sep 05 '20 at 14:48

Leighton

1,128
11
14

answered May 25 '15 at 07:10

Bob Kinney

8,870
1
27
35

1

First I put the RoleArn in the CognitoIdentityCredentials() and got a little further. Then I realized that the cognito identity id in the trust relationship was not correct. I don't know how the wrong id got in there. – drfence May 25 '15 at 16:54
Two days! I spent two days figuring it out! Just had to update the pool id :| Thanks!! – memsranga Nov 22 '18 at 04:15
Checked that the ID is correct but still the same error :( – Mon Jan 20 '20 at 08:36
The link is dead. – Tobias Feil Jul 13 '20 at 11:34

koxon · Answer 2 · 2017-01-20T10:11:28.467

29

After some digging I realized that you must add the RoleArn and AccountId to your credentials.

Even though most of the documentation out there mention this as being enough:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-east-1:xxxxx-a87e-46ed-9519-xxxxxxx',
});

This was not enough.

I had to do this:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-east-1:xxxxx-a87e-46ed-9519-xxxxx',
    RoleArn: 'arn:aws:iam::xxxxx:role/Cognito_xxxxUsersUnauth_Role',
    AccountId: 'xxxxxxxxx', // your AWS account ID
});

You must mention the ARN of your Role for your identity pool.

The only doc that mention it right is this one.

The wrong ones:

Maybe I'm missing something but this is certainly confusing.

edited Jan 20 '17 at 10:11

answered Oct 14 '15 at 02:49

koxon

818
1
10
12

5

YOU ARE GOD FOR ME – ryutamaki Oct 26 '16 at 08:38
5

I don't think this is necessary. As Bob mentioned in the other answer, you can setup the trust relationship for your IAM role. I accidentally caused `InvalidIdentityPoolConfigurationException` on `AWS.config.credentials.get` to happen by re-creating my identity pool and forgetting to update the trust relationship for the cognito authenticated IAM role. – ingh.am Jan 18 '17 at 14:57
4

Also, I don't like the idea of exposing my AWS account id and role information on a public website in the js. – ingh.am Jan 18 '17 at 14:58
Indeed @ing0 fixed :( – koxon Jan 20 '17 at 10:11
2

@koxon I was actually speaking about exposing those details in your javascript implementation, but it's probably a good idea to remove them from SO as well! – ingh.am Jan 20 '17 at 14:31
Another example of AWS docco sucking balls – jenson-button-event Oct 08 '19 at 11:52
Confirming: ran into the same issue. RoleArn and AccountId are not required, just need to fix the trust relationship, per documentation. – smirnoff Mar 01 '21 at 22:41

score 8 · Answer 3 · answered Feb 09 '17 at 22:12

Check the "Trust Relationship" section of the role that is assigned to your Identity Pool, authentication users. Make sure you have policies defining access to your Cognito pool.

The easiest way to get the requirement policy statements is,

Edit the pool
Create new role for identity pool
In IAM edit this role to copy the policy statements
Add these Trust Relationships to your required existing role

score 2 · Answer 4 · answered Sep 04 '20 at 14:55

Another - probably less common - reason: Make sure that you are actually using an identity pool and if not, remove the identity pool id from your aws-exports.js.

I was getting this error after adding federated sign ins to my user pool (not identity pool). For reasons unknown my config included an aws_cognito_identity_pool_id. Removing this id solved the error for me.

score 1 · Answer 5 · answered May 31 '18 at 07:21

I checked the Trust Relationship of my roles configured for "Authenticated role" and "Unauthenticated role" for my identity pool more than once, but still the error occured. After reviewing my whole identity pool configuration I recognized that in

Authentication providers
- Cognito
  - Authenticated role selection

I have chosen "Choose role from token" and my wrong configured role was the one I attached to the cognito group for my users. So updating the Trust Relationship for this role fixed the problem.

Hope this helps someone :)

I used your option ("Choose role from token") but at the end what worked for me was the option: "Use default role" — Edenshaw, Mar 05 '20 at 16:58

score 1 · Answer 6 · answered Jul 16 '19 at 02:20

In my case, I am using SAML identity provider. The action in the IAM role policy should be: "Action": "sts:AssumeRoleWithSAML". But this is the root cause of the exception. I have to manually change it to "Action": "sts:AssumeRoleWithWebIdentity". It turns out any role created by the Cognito identity pool will use "Action": "sts:AssumeRoleWithWebIdentity". It won't check your identity provider type. I believe this is a bug.

score 0 · Answer 7 · answered Aug 29 '18 at 13:23

0

I encountered this error and my problem turned out to be that my user was assuming an unauthenticated role because I was returning AWSTask(result:nil) from the logins() function in my custom CognitoDeveloperIdentityProvider.

answered Aug 29 '18 at 13:23

Regular User

682
7
16

score 0 · Answer 8 · answered Mar 03 '21 at 16:35

I had the same error when trying to retrieve files from S3 through my Identity pool users.

Solution: You can create a role in IAM for "Web Identity". Then provide your identity pool ID and add the permissions that you want the role to have, e.g. S3FullAccess. Then navigate back to Amazon Cognito Identity pools and assign the role you just created to the unauthrole or authrole. The users in the Identity pool should now be able to access the S3 resources

score 0 · Answer 9 · answered Aug 20 '21 at 12:36

0

Another -way less probably scenario- is that either the provider or identityPoolId you are using is invalid. I spent hours debugging a missing ENV in my code.

answered Aug 20 '21 at 12:36

Oscar Nevarez

994
12
24

score 0 · Answer 10 · answered Jan 18 '22 at 02:06

Had this issue, after several hours of checking our what the problem could be, found out that the Trust Policy is actually missing this line sts:TagSession in the Action List so eventually the Authenticated Trust Policy is as defined below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRoleWithWebIdentity",
        **"sts:TagSession"** //this does the trick for me
      ],
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "{IDENTITY_POOL_ID}"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

AWS Cognito Invalid identity pool configuration

10 Answers10

Linked