Did this end up causing an issue for you?
I got this âInvalid UserPoolId formatâ at this step.
Tried to follow every minimal steps until now but havent found out how to get over it.
Hi there, I seem to be getting two errors while writing the policy document.
Does anyone know how to solve it? I double checked everything.
Is your policy valid JSON? Can you post it here?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::notes-app-for-file-uploads/private/${cogni
identity.amazonaws.com:sub}/*"
]
},
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute- api:us-east-2:*:he545pdhb0/*/*/*"
]
}
]
}
How come there is a space there?
I somehow got an error, then after I clicked âAllowâ again, it says my role is already createdâŚ
huh, is it possible to have some errors with my policy, and still create a role?
Hi,
Thanks for great resource. I just got stuck on testing the identify pool. I get the following message:
npx: installed 105 in 7.555s
Authenticating with User Pool
Getting temporary credentials
Making API request
{
status: 500,
statusText: 'Internal Server Error',
data: {
error: 'User: arn:aws:sts::173915777836:assumed-role/wesnotes-app-api-prod-eu-central-1-lambdaRole/wesnotes-app-api-prod-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:eu-central-1:173915777836:table/notes'
}
}
I went into IAM and checked the policy entered for the authorised role, deleted it and re-entered it. Result still same.
Where should I look next?
Grateful for your help.
regards,
Wessel
sorry for bothering you. Solved it myself:
There was still a reference to a US region in serverless.yml (in the iamRoleStatements) that I had to replace by eu-central-1.
Hmm so you created it without any spaces in the API Gateway resource?
Ah. Glad you figure it out. Thanks for reporting back!
i tried it without the bottom, but then it says the 2 errors on the bottom, does that mean itâs created?
Can I configure the below access to be emailId of the logged in user instead of the authenticated userâs federated identity ID?
"Resource": [
"arn:aws:s3:::YOUR_S3_UPLOADS_BUCKET_NAME/private/${cognito-identity.amazonaws.com:sub}/*"
]
Basically i am going to have a profile detail form in my app where i will store the profile for each user in the dynamoDB table. In the create endpoint, I have already changed the userId from userId: event.requestContext.identity.cognitoIdentityId to emailId
Hi,
Can someone please point out what could be wrong? When I try the npx aws-api-gateway-cli-test I get the below error:
{ status: 403,
statusText: âForbiddenâ,
data:
{ message:
âUser: arn:aws:sts::1111111111111:assumed-role/Cognito_notesAuth_Role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:ap-south-1:********1111:abcdef12fd/prod/POST/notesâ } }
I tried the API simulator in AWS, there also I get denied i.e. "denied implicitly denied " error. Below is the Cognito Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cognito-identity:*", "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": ["arn:aws:execute-api:ap-south-1:*:abcdef12fd/*/*/*"] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::abc-notes-app-uploads/private/${cognitoidentity.amazonaws.com:sub}/*" } ] }
I checked the Redirecting⌠as well.
Thanks!
Jay
I even tried having only the execute-api in the Policy and simulation still fails.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:ap-south-1:*:abcdef12fd/*/*/*"
}
]
}Hmm Iâm not entirely sure, since that is managed internally by AWS Amplify. If you want to manage uploads yourself, you could directly use the AWS JS SDK. That way you can create the directories you want.
Can you try setting the Resource as *? Just as a test? Than youâll know if there is a problem with the Resource format?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "*"
}
]
}
The above works and the below fails.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:*:*:*/*/*/*"
}
]
}
and the below one fails as well.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:ap-south-1:1111111111111:abcdef12fd/*/*/*"
}
]
}@jayair How do I make sure it works with the ARN resource? What is that I am doing wrong ?