Aws-cli: Cognito CreateUserPool doesn鈥檛 seem to respect AutoVerifiedAttributes value

Created on 21 Jan 2019  路  7Comments  路  Source: aws/aws-cli

Hi,

My info:

$ aws --version
aws-cli/1.16.92 Python/2.7.15 Darwin/18.2.0 botocore/1.12.82

I try to create a user pool in Cognito from the CLI:

  aws cognito-idp create-user-pool --debug --pool-name "myuserpool" \
    --auto-verified-attributes email \
    --policies "PasswordPolicy={MinimumLength=10,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=true}" \
    --mfa-configuration OPTIONAL \
    --device-configuration "ChallengeRequiredOnNewDevice=true,DeviceOnlyRememberedOnUserPrompt=true" \
    --username-attributes email

The debug outputs my command is sending the following JSON body in my request:

{
  "PoolName": "myuserpool",
  "Policies": {
    "PasswordPolicy": {
      "MinimumLength": 10,
      "RequireUppercase": true,
      "RequireLowercase": true,
      "RequireNumbers": true,
      "RequireSymbols": true
    }
  },
  "AutoVerifiedAttributes": [
    "email"
  ],
  "UsernameAttributes": [
    "email"
  ],
  "MfaConfiguration": "OPTIONAL",
  "DeviceConfiguration": {
    "ChallengeRequiredOnNewDevice": true,
    "DeviceOnlyRememberedOnUserPrompt": true
  }
}

And yet, even if I explicitely set AutoVerifiedAttributes to only email, I鈥檓 asked to configure my SMS settings, while I shouldn't need them:

An error occurred (InvalidParameterException) when calling the CreateUserPool operation: SMS configuration is required when MFA is required/optional and phone_number is selected for auto verification

Is this a bug?

guidance
Source
picture remino

Most helpful comment

How could this be the official fix.
It's really annoying that you can't define the user pool settings from your cloudformation file.
This issue should be reopened.

picture ivands on 30 Mar 2020
👍15

All 7 comments

I tried using command args and JSON input and still no luck. I gave up on this. The only workaround I found was to create a bare User Pool first, then update it with the configuration I want, including optional MFA by e-mail.

remino picture remino on 22 Jan 2019

Hi @remino, sorry to hear you were having difficulties with this. The auto verified attributes and MFA are two separate concepts. If you need more information on this, let us know. We'll consider improving the documentation to make this more apparent.

We don't support email as MFA - only SMS and TOTP. When you set MfaConfiguration as ON or OPTIONAL during CreateUserPool API, it assumes that you're using SMS as MFA. If you want to use TOTP, you need to use SetUserPoolMfaConfig API.

klaytaybai picture klaytaybai on 23 Jan 2019
👎5 👍1

Hi @klaytaybai

What you鈥檙e saying is correct. I also found out about SetUserPoolMfaConfig yesterday. Doing CreateUserPool first then SetUserPoolMfaConfig solves my problem. Thanks for confirming.

remino picture remino on 24 Jan 2019

How could this be the official fix.
It's really annoying that you can't define the user pool settings from your cloudformation file.
This issue should be reopened.

ivands picture ivands on 30 Mar 2020
👍15

Agree with @ivands, this should be doable directly from the CloudFormation template.

JorisLimousin picture JorisLimousin on 8 May 2020
👍2

Bump @klaytaybai! Hate to use comments for this, but the issue is still closed, and reactions do not seem to be picked up. I want to use TOTP-only MFA (SMS being quite insecure), and cannot do it from cloudformation directly.

spalladino picture spalladino on 28 May 2020

+1. I can't use the work around of setting the MFA config after the user pool has been created because I need MFA to be required for the user pool - thus I have to have turn it on when creating

nocoli picture nocoli on 6 Aug 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vadimkim picture vadimkim  路  3Comments
braddr picture braddr  路  3Comments
ronaldpetty picture ronaldpetty  路  3Comments
ehammond picture ehammond  路  3Comments
975204 picture 975204  路  3Comments