Amplify-cli: Analytics does not work for logged in user groups

In order to get around this I added...
"UsersGroupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "Users-group-analytics-policy", "Roles": [ { "Fn::Join": [ "", [ { "Ref": "authbabynotebookAuthUserPoolId" }, "-UsersGroupRole" ] ] } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:PutEvents", "mobiletargeting:UpdateEndpoint", "mobiletargeting:GetUserEndpoints" ], "Resource": [ { "Fn::Join": [ "", [ "arn:aws:mobiletargeting:*:", { "Fn::Select": [ "4", { "Fn::Split": [ ":", { "Ref": "authRoleArn" } ] } ] }, ":apps/", { "Fn::GetAtt": ["PinpointFunctionOutputs", "Id"] }, "*" ] ] } ] } ] } } }, "AdminsGroupPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "Admins-group-analytics-policy", "Roles": [ { "Fn::Join": [ "", [ { "Ref": "authbabynotebookAuthUserPoolId" }, "-AdminsGroupRole" ] ] } ], "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:PutEvents", "mobiletargeting:UpdateEndpoint", "mobiletargeting:GetUserEndpoints" ], "Resource": [ { "Fn::Join": [ "", [ "arn:aws:mobiletargeting:*:", { "Fn::Select": [ "4", { "Fn::Split": [ ":", { "Ref": "authRoleArn" } ] } ] }, ":apps/", { "Fn::GetAtt": ["PinpointFunctionOutputs", "Id"] }, "*" ] ] } ] } ] } } }
and
"authbabynotebookAuthUserPoolId": { "Type": "String", "Default": "authbabynotebookAuthUserPoolId" }, "authuserPoolGroupsUsersGroupRole": { "Type": "String", "Default": "authuserPoolGroupsUsersGroupRole" }, "authuserPoolGroupsAdminsGroupRole": { "Type": "String", "Default": "authuserPoolGroupsAdminsGroupRole" }
... to the analytics cloudformation template.
added the "dependsOn" to the backend-config.json
"analytics": { "babynotebook": { "service": "Pinpoint", "providerPlugin": "awscloudformation", "dependsOn": [ { "category": "auth", "resourceName": "babynotebookAuth", "attributes": ["UserPoolId"] }, { "category": "auth", "resourceName": "userPoolGroups", "attributes": ["AdminsGroupRole"] }, { "category": "auth", "resourceName": "userPoolGroups", "attributes": ["UsersGroupRole"] } ] } }

... Have to say I am still amazed by the amount of bugs like this I have to fix in my cloudformation manually and seems like the QA testing is no adequate for a product that has the AWS name on it.

Confirm that behavior

@jhockett Any news on this? I see the same issue on Users in Groups

Thanks for reporting this @ahansson89! Sorry for the lack of activity on this issue. I was able to reproduce and confirm it's a bug.

Has this bug been resolved yet?

The amount of bugs this platform has is incredible. It's almost like they don't test anything 🤔 ... I'm on the issue pages almost daily.

I can confirm this bug and it is super annoying.

Hi folks - we've reproduced the issue and are going to tackle it as part of our bug bash over the next upcoming weeks.

Yes would be awesome if groups roles to apply auth role permissions, as when updating endpoint we get this error for the group all users are added to in post confirmation:

could not update endpoint AccessDeniedException: User: arn:aws:sts::XXXXXXXXXXXXXX:assumed-role/xxxxxxxxx-CustomersGroupRole/CognitoIdentityCredentials is not authorized to perform: mobiletargeting:UpdateEndpoint on resource: arn:aws:mobiletargeting:xxxxxx:XXXXXXXXX:apps/XXXXXXXXXXXXXXXXXX/endpoints/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

@jcbdev what is the ETA on this issue?

My above solution seems to no longer work and I get:

Invalid CloudFormation template: pinpoint-cloudformation-template.json
✖ An error occurred when pushing the resources to the cloud
Invalid parameterized type:
An error occurred during the push operation: Invalid parameterized type:

Not really helpful to debug what is going on and the above is blocking a release.

That seems to be an unrelated issue to this one with the latest Amplify CLI version. Was able to downgrade to @aws-amplify/[email protected] in order to get past the error message.