Amplify-js: Unauthenticated access is not supported for this identity pool
Hi all 👋
I'm authenticating the user with
await Auth.signIn(emailOrPhone, password);
which completes finely. But when I try to get the credentials with
const credentials = await Auth.currentCredentials();
I get this error: Unauthenticated access is not supported for this identity pool
I'm setting up Amplify in this way:
Amplify.configure({
Auth: {
identityPoolId: 'xxx,
region: 'xxx',
userPoolId: 'xxx',
userPoolWebClientId: 'xxx',
},
});
(with actual values instead of xxx)
How do I authenticate in the Identity Pool and get temporary IAM credentials to use with the AWS SDK?
EgidioCaprino
All 23 comments
@EgidioCaprino does your federated identity pool which has your user pool attached as an identity provider have an unauthenticated role attached to it? See here for detas:
https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html
In the federated identities console, go-to your identity pool, edit, then make sure you have unauthenticated role enabled. Then make sure the role has a policy that allows what you would like to be done unauthenticated. Generally this is something like mobileanalytics-put and/or execute-api etc.
mlabieniec
on 22 Jun 2018
I have the same problem and this is not very helpful because with unauthenticated access it is functioning OK. I need to get it functioning with authenticated access.
AntonSmatanik
on 4 Sep 2018
I have the same issue where Auth.currentAuthenticatedUser() gives a successful user login, but subsequent currentCredentials call fails saying it's trying to log the user in as an unauthenticated role.
jadbox
on 10 Sep 2018
did anyone solve this?
@jadbox @AntonSmatanik
LermanR
on 11 Oct 2018
So it's just not me, Looks like the whole world is facing this issue.
subodhjena
on 11 Oct 2018
worked for me...
LermanR
on 13 Oct 2018
Fixed it. Had to enter exact information in the aws-amplify-config. In my case, just this & nothing else.
const amplifyConfig = {
Auth: {
// REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID
identityPoolId: 'identity-pool-id',
// REQUIRED - Amazon Cognito Region
region: 'us-east-1',
// OPTIONAL - Amazon Cognito Federated Identity Pool Region
// Required only if it's different from Amazon Cognito Region
identityPoolRegion: 'us-east-1',
// OPTIONAL - Amazon Cognito User Pool ID
userPoolId: 'user-pool-id',
// OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
userPoolWebClientId: 'user-pool-client-id'
}
};
subodhjena
on 15 Oct 2018
After this i was able to see the config objects in the local storage.
subodhjena
on 15 Oct 2018
Hmm. Still seeing this same issue ("Token is not from a supported provider of this identity pool."). Using AWS Amplify. What's odd is that the issue has just come up; I have been Sign In / Up / Out without problems for a week straight. Configuration hasn't changed at all. Could there be something else at play?
JasonLunsford
on 7 Nov 2018
I am also getting that. Did you guys find the reason why?
andreupifarre
on 14 Nov 2018
For me the issue was a mismatch between the App Client ID and the associated Identity Pool. I fixed it by going to the Identity Pool in question, clicking Edit Identity Pool, expanding Authentication Providers, selecting the first tab (Cognito), and ensuring both the User Pool ID and App client ID were those that appear in my aws_config file.
JasonLunsford
on 14 Nov 2018
I have no config mismatches in my ID pool setup or in JavaScript Amplify.configure({
Auth: {...} It was working fine for the Cognito services api. My admin app had full CRUD with Cognito users. Now I get this error. Frustrating.
jmpreston
on 21 Dec 2018
My fix. I nuked the ID Pool and started over. Setup new new roles for unauthenticated and authenticated but with the same role policies in IAM has the previous roles. Then magically it worked.
jmpreston
on 21 Dec 2018
Checking enable access to unauthenticated identites in cognito federated identities worked for me.
Ruwanari
on 2 Jan 2019
I'm getting this message after:
CognitoIdentityServiceProvider.adminGetUser(params
but only after the first call, if I restart my express node server all works fine but only the first time.
aarkerio
on 5 Feb 2019
Just for the record...I left the default cookieStorage configuration there by mistake:
cookieStorage: {
// REQUIRED - Cookie domain (only required if cookieStorage is provided)
domain: '.yourdomain.com',
// OPTIONAL - Cookie path
path: '/',
// OPTIONAL - Cookie expiration in days
expires: 365,
// OPTIONAL - Cookie secure flag
// Either true or false, indicating if the cookie transmission requires a secure protocol (https).
secure: true
},
I suppose many people have that issue because of the config?
bichotll
on 20 Feb 2019
I got the error after updating the api from: being restricted to authenticated users only, to: allow unauthenticated users.
Under amplify/backend/auth/cognito[nnn]/parameters.json
I switched:
"allowUnauthenticatedIdentities": false,
to:
"allowUnauthenticatedIdentities": true,
pushed to aws and it did the trick.
allowUnauthenticatedIdentities seems not being updated after issuing amplify update api.
Tony-Guerrero
on 24 May 2019
For anyone still facing the issue, you need to check if user received from Auth.signIn(email, password) has a challengeName: 'NEW_PASSWORD_REQUIRED' which is likely from creating a user in the console. If this is on the user, they need to enter a new password to be "authenticated".
In order to do this, simply get the user (const user = await Auth.signIn(...)) and the user's input for the new password and run this just like a sign in: await Auth.completeNewPassword(user, newPassword).
This will return an "authenticated" user (as far as passwords go).
StephenHartfield
on 19 Mar 2020
Please check if you have configured your amplify app (as shown below)
To know more visit this link
Prateek13727
on 4 Oct 2020
YES!!! we missed to configure it.
jpca999
on 20 Oct 2020
Fixed it. Had to enter exact information in the aws-amplify-config. In my case, just this & nothing else.
const amplifyConfig = {
Auth: {// REQUIRED only for Federated Authentication - Amazon Cognito Identity Pool ID identityPoolId: 'identity-pool-id', // REQUIRED - Amazon Cognito Region region: 'us-east-1', // OPTIONAL - Amazon Cognito Federated Identity Pool Region // Required only if it's different from Amazon Cognito Region identityPoolRegion: 'us-east-1', // OPTIONAL - Amazon Cognito User Pool ID userPoolId: 'user-pool-id', // OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string) userPoolWebClientId: 'user-pool-client-id'}
};
@subodhjena in my case doesn't work at all what I still missing?
inspifinity
on 31 Dec 2020
hey @inspifinity
have you checked the (image below) option in your identity pool config?
you can find it in Edit identity pool under unauthenticated access
Prateek13727
on 31 Dec 2020
@Prateek13727 the solution what you suggested completely not acceptable for me because it will allow to access secretAccessKey without user authentication.
I figured out what was the real problem:
const authInfo = await Auth.signIn(username, password)
In my case authInfo object contains { challengeName: “NEW_PASSWORD_REQUIRED” } property which is require extra action:
const completed = await Auth.completeNewPassword(authInfo, new_password)
after that:
await Auth.signIn(username, new_password)
const credentials = await Auth.currentCredentials()
works like a charm without any issue
inspifinity
on 8 Jan 2021
Related issues
benevolentprof
·
3Comments
callmekatootie
·
3Comments
oste
·
3Comments
shinnapatthesix
·
3Comments
DougWoodCDS
·
3Comments
Most helpful comment
Checking enable access to unauthenticated identites in cognito federated identities worked for me.
