admin_link_provider_for_user

[waltertschwe]

Describe the bug

When linking a cognito user to okta by making a call like this:

response = client.admin_link_provider_for_user(
              UserPoolId=user_pool_id,
              DestinationUser={
                  "ProviderName": "Cognito",
                  "ProviderAttributeName": "Cognito_Subject",
                  "ProviderAttributeValue": username,
              },
              SourceUser={
                  "ProviderName": "OktaOIDC",
                  "ProviderAttributeName": "Cognito_Subject",
                  "ProviderAttributeValue": okta_id,
              },
 )

I get a success back. When I try to make a subsequent call using the same username and a different okta_id I get the following error:
. Error: An error occurred (InvalidParameterException) when calling the AdminLinkProviderForUser operation: Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, only as a DestinationUser

Even though I get this error it looks like the linking is still made.

Expected Behavior

I would expect to be able to link multiple okta IDs to a cognito user as shown here:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html

Current Behavior

Error:
Error: An error occurred (InvalidParameterException) when calling the AdminLinkProviderForUser operation: Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, only as a DestinationUser

Reproduction Steps

cognito_id = "cog_user"
okta_ids = ["user_1", "user_2"]

for okta_id in okta_ids:
  try:
            response = client.admin_link_provider_for_user(
                UserPoolId=user_pool_id,
                DestinationUser={
                    "ProviderName": "Cognito",
                    "ProviderAttributeName": "Cognito_Subject",
                    "ProviderAttributeValue": username,
                },
                SourceUser={
                    "ProviderName": "OktaOIDC",
                    "ProviderAttributeName": "Cognito_Subject",
                    "ProviderAttributeValue": okta_provider_user_id,
                },
            )
           # user_1 success response  <-- user_1 FLOW falls here
            typer.echo(
                f"Okta user {okta_provider_user_id} linked to Cognito user {username} successfully: {response}"
            )
        except Exception as e:
            # user_2 falls into this exception <-- user_2 FLOW falls into the Exception
            # NOTE: When linking a second Okta ID this error is being returned from Cognito:
            # Error: An error occurred (InvalidParameterException) when calling the AdminLinkProviderForUser operation: 
            # Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, 
            # only as a DestinationUser

            # However the linking is still created.
           pass

Possible Solution

No response

Additional Information/Context

No response

SDK version used

aws-cli/1.22.34 Python/3.10.12 Linux/6.5.0-1020-aws botocore/1.34.38

Environment details (OS name and version, etc.)

AWS Workspace Ubuntu

[tim-finnigan]

Thanks for reaching out. The Boto3 admin_link_provider_for_user command involves a call to the underlying AdminLinkProviderForUser API, so this issue relates to the API behavior rather than Boto3 directly.

You referenced an AWS CLI version but not a Boto3 version — which version of Boto3 are you using? The latest is 1.34.126, and we recommend updating to a recent version if you have not already.

The error you shared (Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, only as a DestinationUser) has been reported a few other times across GitHub:

• AdminLinkProviderForUserCommand throws InvalidParameterException incorrectly aws/aws-sdk-js-v3#5281
• Remaining issues when merging federated users with native Cognito accounts in PreSignUp Trigger aws-amplify/amplify-js#11565
• InvalidParameterException: Invalid SourceUser: Cognito users with a username/password may not be passed in as a SourceUser, only as a DestinationUser aws-amplify/amplify-js#13334
• Automatic Social Account Merging aws-amplify/amplify-cli#4427

I think what may be happening is that the link is successful and then subsequent API calls fail with that error. This is probably something that we would want to reach out to the Cognito team for and see if there could be a better error message or documentation to describe the current behavior.

Before we review this further, can you share your debug logs (with sensitive info redacted) by adding boto3.set_stream_logger('') to your script? That could help give more insight into the underlying issue.

[waltertschwe]

@tim-finnigan

Boto version:

>>> boto3.__version__
'1.34.44'

Debug logging:

Thanks!

[tim-finnigan]

Thanks for following up. I'll reach out to the Cognito team and try to get more info here. I also created a tracking issue for this in our cross-SDK repository since APIs like these are used across AWS SDKs. Please refer to aws/aws-sdk#766 for updates going forward.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.