Serverless-application-model: Unable to update CognitoUserPool. CloudFormation stack update failes.

Created on 11 May 2017  路  5Comments  路  Source: aws/serverless-application-model

Apparently there is an issue with UserPool update - not possible to modify UserPool properties at all.

The stack update fails with:

  • Status UPDATE_FAILED
  • Type: AWS::Cognito::UserPool
  • Status reason: Internal Failure

Details:

  • AWS Region: eu-central-1
  • The only parameter that was changed RequreNumbers from true to false
   Type: "AWS::Cognito::UserPool"
   Properties:
      ..... (more properties)
      Policies:
    PasswordPolicy:
      RequireNumbers: false
          .....(more properties)

And second issue with LambdaTriggers for UserPool, which are a part of the same CloudFormation stack.
After the stack is successfully created, LamdaTriggers fail to execute with AccessDenied Exception. Lamda functions are mapped correcly as Triggers.

The remedy for this is to go to AWS Console/UserPool properties/Triggers and just "Save changes" without changing anything.

picture vasylk
👍1

Most helpful comment

For you second issue (AccessDenied) you have to add permissions for user pool to execute lambda, you can do it in CF like that:

  CognitoPostAuthLambaPermission:
    Type: "AWS::Lambda::Permission"
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref PostAuthLambdaHandler
      Principal: "cognito-idp.amazonaws.com"
      SourceArn: !GetAtt CognitoUserPool.Arn

And about your fist issue, I saw something similar when trying to update "AWS::Cognito::UserPoolClient". It fails with Internal Failure.
It looks like there's some problem even in Cognito UI. It fails when you try to update the ClientName if you don't click "show details" first.

picture kskory on 12 May 2017
👍4

All 5 comments

For you second issue (AccessDenied) you have to add permissions for user pool to execute lambda, you can do it in CF like that:

  CognitoPostAuthLambaPermission:
    Type: "AWS::Lambda::Permission"
    Properties:
      Action: "lambda:InvokeFunction"
      FunctionName: !Ref PostAuthLambdaHandler
      Principal: "cognito-idp.amazonaws.com"
      SourceArn: !GetAtt CognitoUserPool.Arn

And about your fist issue, I saw something similar when trying to update "AWS::Cognito::UserPoolClient". It fails with Internal Failure.
It looks like there's some problem even in Cognito UI. It fails when you try to update the ClientName if you don't click "show details" first.

kskory picture kskory on 12 May 2017
👍4

@kskory thanks for the "Lambda Permission" hint. It solved "AccessDenied" issue with Triggers.

vasylk picture vasylk on 12 May 2017
👍1

I'm seeing the same "Internal Failure" issues (as well as several other issues with Cognito User Pools in CF). It seems half baked. :(

unscriptable picture unscriptable on 17 May 2017

These look like general CloudFormation issues not specific to SAM. I think you might be better off asking in the AWS forums (although my question there about AWS::Cognito::UserPoolClient from last week has yet to be answered).

lafiosca picture lafiosca on 18 May 2017

It seems the issue has been fixed.

vasylk picture vasylk on 30 May 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

charsleysa picture charsleysa  路  3Comments
vinkris picture vinkris  路  3Comments
willdady picture willdady  路  3Comments
polovi picture polovi  路  3Comments
restfulhead picture restfulhead  路  4Comments