Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating Cognito User Pool EmailConfiguration->ConfigurationSet changes other settings outside this scope #6484

Closed
2 tasks done
trogau opened this issue Oct 15, 2021 · 3 comments
Assignees
Labels
cognito-idp guidance Question that needs advice or information. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@trogau
Copy link

trogau commented Oct 15, 2021

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug
Updating a Cognito User Pool via AWS CLI to add a Configuration Set changes several other settings that are not specified in the payload.

SDK version number
aws-cli/2.1.22 Python/3.7.9 Windows/10 exe/AMD64 prompt/off

Platform/OS/Hardware/Device
Windows.

To Reproduce (observed behavior)

  1. Dump your current user pool settings: aws cognito-idp describe-user-pool --user-pool-id ap-uat-pool > uat-pool-current-settings.json
  2. Update your user pool to have a new configuration set: aws cognito-idp update-user-pool --user-pool-id uat-pool --email-configuration="SourceArn=arn:aws:ses:us-west-2:18941781714:identity/accounts@example.com,EmailSendingAccount=DEVELOPER,From=Explorate <accounts@example.com>,ConfigurationSet=SESConfSet"
  3. Re-dump your current user pool settings and diff them with the ones from step 1. (You can also manually verify the changes in the console, but it might be faster/safer/easier to check via diff if you're familiar with the JSON output from this command.)

When we did this in two of our user pools, the ConfigurationSet was correctly updated, but the following features also changed:
MFA & verifications: Email verification seemed to be disabled & switched to ‘no verification’ (AutoVerifiedAttributes in the JSON diff).
– Message customizations: email verification message template & user invitation message template were both erased.
– Devices: “Do you want to remember your user’s devices” was set to No.

Expected behavior
I'd expected the changes would be limited to the EmailConfiguration scope, which was the only section passed in via CLI.

Additional context
Possibly related to this older issue: #3302

@trogau trogau added the needs-triage This issue or PR still needs to be triaged. label Oct 15, 2021
@tim-finnigan tim-finnigan self-assigned this Oct 15, 2021
@tim-finnigan tim-finnigan added investigating This issue is being investigated and/or work is in progress to resolve the issue. guidance Question that needs advice or information. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 15, 2021
@tim-finnigan
Copy link
Contributor

tim-finnigan commented Oct 15, 2021

Hi @trogau, thanks for reaching out. Someone shared this AWS Forums Post in the issue you mentioned, where an AWS employee wrote:

This is the expected behavior of UpdateUserPool request. When you update user pool through cli, you should provide all the user pool attributes with the values you want it to be updated or kept. If you don't provide a value for the attribute, service will override it to the default setting.

The UpdateUserPool service API documentation notes the same:

If you don't provide a value for an attribute, it will be set to the default value.

So I think in your case you’d want to also specify --mfa-configuration, --sms-configuration, and --device-configuration in order to avoid those getting set to the default value.

Does that help resolve your issue? Please let us know if you have any questions.

@tim-finnigan tim-finnigan added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Oct 15, 2021
@trogau
Copy link
Author

trogau commented Oct 16, 2021

@tim-finnigan : thanks for the prompt reply. You're right and my apologies, I had read the API docs for this feature but had just completely missed the bit about the default value being set if not provided.

Thanks again; closing as resolved.

@trogau trogau closed this as completed Oct 16, 2021
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cognito-idp guidance Question that needs advice or information. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Development

No branches or pull requests

2 participants