Aws-sdk-ios: Can someone tell me the exact IAM JSON policy for an Unauthenticated cognito role to use every possible Pinpoint service

@rromanchuk Sorry for the inconvenience caused. What is the version of AWS SDK for iOS you are using?

1) For the issue related to the IAM policies, if you are submitting events using submitEvents method which internally does a PutEvents operation and if you are updating endpoint, you require the following policies attached to the IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mobiletargeting:UpdateEndpoint",
                "mobiletargeting:PutEvents"
            ],
            "Resource": [
                "arn:aws:mobiletargeting:*:${accountID}:apps/${appId}*"
            ]
        }
    ]
}

We will update the amplify/docs to reflect this change.

2) For the issue related to "Exceeded maximum endpoint per user count 10", this is a limit enforced by the Pinpoint service. You cannot have more than 10 unique endpoints per user ID. See Pinpoint service limits for more details.

I tried using that policy, IAM console explodes, i'm guessing those are global variables, maybe i'm doing something wrong, but still...

Do some actions not support resource wild cards (useful for sanity testings)? This is what i cobbled together yesterday to get it to work. Going to try the one with global vars next.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "mobiletargeting:PutEvents",
                "mobileanalytics:PutEvents"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "mobiletargeting:UpdateEndpoint",
            "Resource": "arn:aws:mobiletargeting:us-east-1:[redacted]:apps/[pinpoint_app_id]*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "mobiletargeting:GetUserEndpoints",
            "Resource": "arn:aws:mobiletargeting:us-east-1:[redacted]:apps/[pinpoint_app_id]*"
        }
    ]
}

You cannot have more than 10 unique endpoints per user ID. See Pinpoint service limits for more details.

I guess I still don't get Pinpoint's big picture. It's trying to do so manny things, but not very well, or at least it's not very clear. It's pitched as, want to track analytics? ✅ Want to it to manage APNs? ✅Want to do segmentation across various channels? ✅ The problem is, all these things are coupled to the concept of endpoints, which are obfuscated away by problem/solutions. Amplify documentation tries to remove the service layer components, but it falls apart quickly. All i'm trying to accomplish is track user events by using amplify analytics, powered by amazon, powered by pinpoint.

Registering Endpoints in Your Application
When a user starts a session (for example, by launching your mobile app), your mobile or web application can automatically register (or update) an endpoint with Amazon Pinpoint. The endpoint represents the device that the user starts the session with. It includes attributes that describe the device, and it can also include custom attributes that you define. Endpoints can also represent other methods of communicating with customers, such as email addresses or mobile phone numbers.

If i'm over my "endpoint limit", what does that mean for that that user session's "Analytics" and "Push Notifications"?

I would love to see how amazon uses pinpoint in a sample demo (More than a single screen) and with at least one other channel besides APNs, not just contrived usage in AppDelegate. So at least two channels APN + (email || phone number), analytics, and no other REST services besides aws-ios-sdk

Here's what happened when i realized i googled and put in the above endpoint

Those 10 endpoints were probably my broken backend trying to add sms/email channels, because it was outrageously painful to attempt to do them client side. I guess i'm a bit crabby because i need amazon to get out of my way for this type of solution, and even when i do put in time it's either beautiful hello world documentation or autogenerated SDK/REST api docs, and nothing in between.

Is pinpoint using SNS behind the scenes? It has to be right?

Developers have a product. That product has users. Those users interact with the product on devices. Depending on the user, and the devices the user interacts with, I can communicate with that user across a variety of channels. APN, GCM, SMS, and e-mail.

Here's my dream ios SDK

Pinpoint.setup() // in AppDelegate, swizzle and and handle notifications, creates apn "endpoint"

Pinpoint.trackEvent() // Anywhere, get out of the developer's way

// Sometime after authentication
Pinpoint.setIdentifiers(email: currentUser.email, phone: currentUser.phone) // creates email/phone "endpoints" 
// For segmenting on console
Pinpoint.addAttribute(["science", "politics", "travel"], forKey: "interests")

@rromanchuk you're not alone in your feedback, well stated. just don't want to spend cycles on what segment, etc. have long ago solved.

@rromanchuk @kawells924 Sorry for the inconvenience caused. I'm summarizing your concerns and my answers here:

1) Issue with setting policies in the IAM console: By arn:aws:mobiletargeting:*:${accountID}:apps/${appId}* I mean you would substitute the accountId and appId with the actual identifiers you have.

2) Pinpoint's bigger picture. Yes, you are right. Pinpoint provides many functionalities under one roof Amazon Pinpoint.
Action Item: I can extend our docs to provide additional details about what an endpoint represent and the programming model with the concept of endpoint. Meanwhile I would suggest looking at the docs.

In short, An endpoint uniquely identifies a mobile device, email address, or phone number that can receive a message. You can use this resource to create or update endpoints. An endpoint has certain properties associated with it such as: User, Demographic, Location, etc. From an SDK perspective, it corresponds to the AWSPinpointEndpointProfile(https://github.com/aws-amplify/aws-sdk-ios/blob/master/AWSPinpoint/AWSPinpointEndpointProfile.h) which encapsulates all the information related to an endpoint. You can call updateEndpoint API in the SDK to update any changes to the endpoint information.

3) A single user Id cannot be associated with more than 10 endpoints. If you are running your app on different emulators, you might have reached this limit easily. If you encountered this issue while testing on different emulators, I would suggest you to remove the endpoints either through the SDK or AWS CLI.

If this issue occurred in production to one of your users, can you provide additional details on how you set the userId in the endpointProfile.

4) Documentation: I understand that our docs talk about the introductory use-cases and detailed API reference.

Action Item: Add docs for advanced use-cases. Can you provide the list of use-cases you would like to see the docs for?

I have two action items from this issue and I will work on that.

@rromanchuk Please let me know if you need any further information.

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

Can someone explain how adding mobiletargeting:UpdateEndpoint isn't an issue where one user coudl update the endpoint of another user? Wouldn't that statement need some sort of condition to limit the endpoints to the ones of the submitting user?

Can someone explain how adding mobiletargeting:UpdateEndpoint isn't an issue where one user coudl update the endpoint of another user? Wouldn't that statement need some sort of condition to limit the endpoints to the ones of the submitting user?

While attack surface is probably small (hard to guess a GUID) a +1 for an AWS answer to this? Any reason why this is not an issue? Any way to conditionally limit update access to only user-owned endpoints?