Cognito save changes in user pool is not working

Question

We are using cognito user pool for authentication and I had enabled email verification under MFA and verification , so after some time I am trying remove that verification by unchecking the email check box , I always get an error Your roles are still being created. Please wait and try again . I waited for week , still the problem persists. I just need to uncheck email verification. Thank you in advance.

score 7 · Answer 1 · answered Mar 21 '19 at 19:14

I had an issue where the SMS role was accidentally deleted. It may have never been created either. At the bottom of the MFA section you'll see an input box with the ability to name the role and then a button "Create Role" to click on.

If you have a grayed out role name already. Look for it in IAM. If it doesn't exist, you will need to re-create it. Unfortunately there is no way to do this in IAM and have it work for Cognito because it requires a path prefix for the service role (of service-role). I tried re-creating via CLI and while it made the matching role, it still didn't work.

So the best thing to do is make a new (dummy) pool and create the SMS role there that matches the name of the one used by the other pool where you're seeing that error message.

Then you will need to update the role to ensure the ExternalId matches (it's a UUID). The only way you can find this UUID is via CLI, so you'll need to find it using the command: aws cognito-idp get-user-pool-mfa-config --user-pool-id=xxxx

It should return the current role name and it's ExternalId so you can then go back to IAM and find the newly AWS created SMS role and update it's policy JSON to include the proper UUID.

Finally, get rid of the dummy pool you had created because it too will now be afflicted with the "Your roles are still being created." bug.

Essentially, it's just stuck and needs it's config pointed to the proper role (using it's ExternalId) and unfortunately there's not enough dashboard controls to fix the issue. You have to kinda hack around it a little bit until they can fix it.

@Žilvinas go to that role, in the `Trust relationships` tab click `Edit trust relationship` and replace the existing `sts:ExternalId` with the one you got from aws cli — Marius B, Nov 29 '19 at 13:57
I came across this after somehow losing an SNS role. Unfortunately, now a year later, when creating role in the dummy pool the arn has ":role/service-role/" in it instead of just ":role/", which causes the bug to remain. Thinking deleting the pool and recreating it, but I dread the thought. — Kim, Apr 08 '20 at 03:51
almost got there with "aws iam create-role", which allowed for a perfect match of the name and arn. Then I filled in the permissions policy and trust relationship, but still the same. :( — Kim, Apr 08 '20 at 04:25

score 3 · Answer 2 · answered Apr 21 '20 at 15:36

I know this is late, but maybe someone else might benefit from this.

The below could be a solution, depending on the scenario.

I had somehow deleted SNS-Role used by a User Pool. And when a new one got created, it did not match what showed when running:

$ aws cognito-idp get-user-pool-mfa-config --user-pool-id=us-west-2_xxxxxxxxx
{
    "SmsMfaConfiguration": {
        "SmsConfiguration": {
            "SnsCallerArn": "arn:aws:iam::123456789098:role/sns12345-dev",
            "ExternalId": "myproj02605eb4_role_external_id"
        }
    },
    "MfaConfiguration": "OFF"
}

The new role had an arn like this:

arn:aws:iam:123456789098:role/sns23456-dev

The following command allowed me to update the snsRole and the User Pool stopped showing that blood Your roles are still being created. Please wait and try again error.

aws cognito-idp update-user-pool \
--user-pool-id us-west-2_xxxxxxxxx \ 
--sms-configuration \
SnsCallerArn=arn:aws:iam::123456789098:role/sns23456-dev,ExternalId=myproj02605eb4_role_external_id

This worked for me by adding my own values for SnsCallerArn and ExternalId. Thanks! — Mitch Conquer, Mar 08 '21 at 21:33

score 3 · Answer 3 · answered Aug 04 '20 at 11:29

I just had the same problem. I tried to add some triggers to my user pool but it kept saying that the roles where being created. I looked at AIM and the role did not seem to exist. What worked for me was a mix of different answers.

Get the external id for your user pool.

aws cognito-idp get-user-pool-mfa-config --user-pool-id=XXXXX
{
    "SmsMfaConfiguration": {
        "SmsConfiguration": {
            "SnsCallerArn": "arn:aws:iam::XXXX",
            "ExternalId": "XXXX"
        }
    },
    "MfaConfiguration": "OFF"
}

Create a new role in AIM for SNS.
Once created, click on the "Trust relationships" and then click on "Edit trust relationship" and add the following json (don't forget to replace the external id for yours)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID_HERE"
        }
      }
    }
  ]
}

Using the CLI, update the pool's role with the new role's ARN:

aws cognito-idp update-user-pool --user-pool-id YOUR_USER_POOL_ID --sms-configuration SnsCallerArn=ROLE_ARN_HERE,ExternalId=YOUR_EXTERNAL_ROLE_HERE

After this, I was able to save changes to the user pool.

score 0 · Answer 4 · answered Jan 21 '21 at 01:22

0

In Case somebody else faces the same issue, here is how I resolved it: I went to IAM and deleted the role and then went back to Cognito and created the role for SMS MFA again(after refreshing the page) and it worked.

answered Jan 21 '21 at 01:22

Mostafa Darezereshki

395
4
8

This will only not be possible for already created user pools with MFA enabled – sachsom Feb 07 '22 at 15:10

Cognito save changes in user pool is not working

4 Answers4