AWS : Invalid identity pool configuration. Check assigned IAM roles for this pool

Ankur Akvaliya picture Ankur Akvaliya · May 18, 2017 · Viewed 12.9k times · Source

I have created one user pool & identity pool.

I have used javascript sdk.

I am able to signup, send confirmation code & confirm user successfully with javascript sdk.

But when i try to sign in user with authenticate method & try to get credentials with "CognitoIdentityCredentials" by passing idToken with below code

logins[cognitoEndpoint + "/" + userPoolId] = jwtToken;

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
      IdentityPoolId: identityPoolId,
      Logins: logins
    });

it's giving me below error

Error: Invalid identity pool configuration. Check assigned IAM roles for this pool.
    at Request.extractError (aws-sdk.js:104063)
    at Request.callListeners (aws-sdk.js:106060)
    at Request.emit (aws-sdk.js:106034)
    at Request.emit (aws-sdk.js:105121)
    at Request.transition (aws-sdk.js:104843)
    at AcceptorStateMachine.runTo (aws-sdk.js:108480)
    at aws-sdk.js:108492
    at Request.<anonymous> (aws-sdk.js:104859)
    at Request.<anonymous> (aws-sdk.js:105123)
    at Request.callListeners (aws-sdk.js:106070)

I have given administrator access to "Unauthenticated role" & "Unauthenticated role" of identity pool and to user whose credentials i am using.

I am new to aws. Can anyone tell me what am i missing?

Any help would be appreciated.

Answer

Alex Hague picture Alex Hague · Sep 4, 2017

Check that the role you have assigned in Cognito Identity Pools (Federated Identities), has a trust relationship with the identity pool.

Get the identity pool ID + the name of the role that isn't working. To do this:

  • Go to Cognito
  • Select Manage Federated Identities
  • Select the identity pool
  • Click Edit identity pool (top right)
  • Make a note of the identity pool ID
  • Make a note of the name of the role that isn't working (e.g. Cognito_blahUnauth_Role

In IAM, check the trust relationship for the role. Ensure that the StringEquals condition value matches the identity pool ID.

To do this:

  • Go to IAM
  • Click Roles
  • Click the name of the role that you noted previously
  • Click Trust relationships
  • On the right under Conditions, check the StringEquals condition contains the identity pool Id that you noted previously.

Edit the trust relationship to fix.