Amazon Cognito "A client attempted to write unauthorized attribute"

Question

I'm using the JavaScript SDK for AWS Cognito, and there are a couple of custom attributes that I just can't seem to save to and can't see why.

The problem attributes are mutable string fields as follows:

custom: role
custom: recruitingrole
custom: title

Other custom fields in the same request seem to update OK. Specifically, these ones seem to work:

custom:division
custom:linkedin
custom:location
custom:bio

When I submit via the SDK, this is returned:

{"__type":"NotAuthorizedException","message":"A client attempted to write unauthorized attribute"}

Here is the data that is sent, as show in the Chrome developer console network output:

{
    "AccessToken": "",
    "UserAttributes": [{
        "Name": "name",
        "Value": "Steve Austin"
    }, {
        "Name": "custom:company",
        "Value": "OSI"
    }, {
        "Name": "custom:division",
        "Value": "Bionics"
    }, {
        "Name": "custom:recruitingrole",
        "Value": "other"
    }, {
        "Name": "custom:linkedin",
        "Value": "http://www.linkedin.com"
    }, {
        "Name": "custom:location",
        "Value": "Mexico City, Mexico City, Mexico"
    }, {
        "Name": "custom:bio",
        "Value": "A man barely alive."
    }]
}

Can anyone suggest why I can't save to these attributes?

thanks

Answer 1

Of course the answer became clear the moment I finished posting on StackOverflow.

The problem was that I had not set permissions for these attributes in the app associated with the user pool. The documentation should make this requirement clear where it discusses custom attributes.

Answer 2

Just highlighting the answer from @mvandillen:

General settings -> App clients -> Show details -> Set attribute read and write permissions link

Answer 3

For anyone that stumbles upon this question:

Like the others suggested, you should enable the writable attributes. But if that doesn't work, make sure you use the custom: prefix:

await Auth.signUp({
      username: email,
      password: password,
      attributes: {
        'custom:firstName': firstName,
        'custom:lastName': lastName,
        'custom:countryCode': countryCode
      }
    })

Answer 4

In my case the issue was in accessing variable with incorrect name. To sum up my steps were following.

1. Add attribute: General settings -> Attributes -> Add custom attribute link

2. Ensure you set read/write permissions: General settings -> App clients -> Show details -> Set attributes permissions link

3. Do not forget to access you variable with correct name. For example if your variable named 'foo' you should get it as 'custom:foo' like below.

Answer 5

To fix this error, you need to make sure that your app has permission to write the custom attribute that you're trying to write. You can do this by checking the permissions for the attribute and the app client in the Cognito user pool console.

Here are the steps to fix the error:

1. Go to the Cognito user pool console.
2. Click on the User Pools tab.
3. Select the user pool that you're having problems with.
4. Click on the App integration tab.
5. Click on the App clients section.
6. Select the app client that you're using.
7. Click on the Attribute read and write permissions section.
8. Make sure that the checkbox next to the attribute that you're trying to write is checked.
9. If the checkbox is not checked, then check it and save your changes.

Once you've done this, you should be able to write the custom attribute without getting the error.

Answer 6

I would just like to add to the list regarding Android and Amplify's Auth lib. Along with enabling custom roles as specified above via AWS Console (General settings -> App clients -> Show details -> Set attribute read and write permissions link) you need to specify that the custom role under AuthUserAttributeKey.custom() has the string custom: prepended to your custom field. My assumption was that this would be excluded given the function call name. A little misleading but I hope this helps someone else out there.

TLDR;

Changed this:

AuthUserAttributeKey.custom("role");

to:

AuthUserAttributeKey.custom("custom:role");

Answer 7

Using Amazon.Extensions.CognitoAuthentication in ASP.NET Core, you have to add:

var user = _pool.GetUser(model.Email)
user.Attributes.Add("name", model.Name);

Here name is the custom attribute

Answer 8

My case is a bit different. I am using Amplify angular component and I don't have any custom attributes (standard email login type).

It turns out that the key of the sign-up fields is case-sensitive. For the uppercase 'Email' key, I will see the error. Below is the sign-up configurations

emailSignUpConfig = {
        header: 'Sign up header',
        hideAllDefaults: true,
        defaultCountryCode: '1',
        signUpFields: [
            {
                label: 'Email',
                key: 'email', //the email should be in lower case
                required: true,
                displayOrder: 1,
                type: 'string',
            },
            {
                label: 'Password',
                key: 'password',
                required: true,
                displayOrder: 2,
                type: 'password',
            },
        ],
    };

Answer 9

After enabling writeable attributes, this is what works for me

    const user = {
     username:this.username,
     password:this.password,     
      attributes:{
      email:this.email,
      'custom:field1': this.field1,
      'custom:field2': this.field2,
      'custom:field3': this.field3
     }
   }


             OR



   const user = {
     username:this.username,
     password:this.password,
     email:this.email,
      attributes:{
      'custom:field1': this.field1,
      'custom:field2': this.field2,
      'custom:field3': this.field3
     }
   }