-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cognito UserPoolClient resource creation fails with internal operator error #807
Comments
Hi @mdundek, Thank you for raising this issue. I checked your examples and there are a few missing, the example below is working successfully, can you try it, please?
difference from your example:
|
Hello @turkenf, thank for your reply. I have integrated your suggestions, unfortunately without success. Here is what I user in my test: apiVersion: cognitoidp.aws.upbound.io/v1beta1
kind: UserPool
metadata:
labels:
test.upbound.io/userpool-name: my-user-pool
name: my-user-pool
spec:
forProvider:
name: my-user-pool
autoVerifiedAttributes:
- email
usernameAttributes:
- email
passwordPolicy:
- minimumLength: 6
requireNumbers: false
requireSymbols: false
requireUppercase: false
requireLowercase: false
region: us-east-1
providerConfigRef:
name: test-aws-dev
---
apiVersion: cognitoidp.aws.upbound.io/v1beta1
kind: UserPoolClient
metadata:
labels:
test.upbound.io/user-pool-client-name: my-user-pool-client
name: my-user-pool-client
spec:
forProvider:
name: my_user_pool_client
region: us-east-1
userPoolIdSelector:
matchLabels:
test.upbound.io/userpool-name: my-user-pool
allowedOauthFlows:
- code
explicitAuthFlows:
- ALLOW_REFRESH_TOKEN_AUTH
- ALLOW_CUSTOM_AUTH
- ALLOW_USER_SRP_AUTH
generateSecret: false
callbackUrls:
- http://localhost:8000
allowedOauthFlowsUserPoolClient: true
allowedOauthScopes:
- email
- openid
- profile
refreshTokenValidity: 2
idTokenValidity: 1
providerConfigRef:
name: test-aws-dev And here is the result of my Name: my-user-pool-client
Namespace:
Labels: test.upbound.io/user-pool-client-name=my-user-pool-client
Annotations: <none>
API Version: cognitoidp.aws.upbound.io/v1beta1
Kind: UserPoolClient
Metadata:
Creation Timestamp: 2023-08-11T14:37:26Z
Generation: 2
Managed Fields:
API Version: cognitoidp.aws.upbound.io/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:labels:
.:
f:test.upbound.io/user-pool-client-name:
f:spec:
.:
f:deletionPolicy:
f:forProvider:
.:
f:allowedOauthFlows:
f:allowedOauthFlowsUserPoolClient:
f:allowedOauthScopes:
f:callbackUrls:
f:explicitAuthFlows:
f:generateSecret:
f:idTokenValidity:
f:name:
f:refreshTokenValidity:
f:region:
f:userPoolIdSelector:
.:
f:matchLabels:
.:
f:test.upbound.io/userpool-name:
f:managementPolicy:
f:providerConfigRef:
.:
f:name:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2023-08-11T14:37:26Z
API Version: cognitoidp.aws.upbound.io/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:spec:
f:forProvider:
f:userPoolId:
f:userPoolIdRef:
.:
f:name:
Manager: provider
Operation: Update
Time: 2023-08-11T14:37:39Z
API Version: cognitoidp.aws.upbound.io/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:atProvider:
f:conditions:
Manager: provider
Operation: Update
Subresource: status
Time: 2023-08-11T14:37:43Z
Resource Version: 86027221
UID: 0c107bfa-e99d-4f9a-a7c2-fde9cb18d72c
Spec:
Deletion Policy: Delete
For Provider:
Allowed Oauth Flows:
code
Allowed Oauth Flows User Pool Client: true
Allowed Oauth Scopes:
email
openid
profile
Callback Urls:
http://localhost:8000
Explicit Auth Flows:
ALLOW_REFRESH_TOKEN_AUTH
ALLOW_CUSTOM_AUTH
ALLOW_USER_SRP_AUTH
Generate Secret: false
Id Token Validity: 1
Name: my_user_pool_client
Refresh Token Validity: 2
Region: us-east-1
User Pool Id: us-east-1_UQlcsuSNl
User Pool Id Ref:
Name: my-user-pool
User Pool Id Selector:
Match Labels:
test.upbound.io/userpool-name: my-user-pool
Management Policy: FullControl
Provider Config Ref:
Name: msi-aws-dev
Status:
At Provider:
Conditions:
Last Transition Time: 2023-08-11T14:37:43Z
Message: observe failed: cannot run refresh: refresh failed: reading Amazon Cognito IDP (Identity Provider) User Pool Client (): InvalidParameter: 1 validation error(s) found.
- minimum field size of 1, DescribeUserPoolClientInput.ClientId.
Reason: ReconcileError
Status: False
Type: Synced
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning CannotResolveResourceReferences 6m53s (x4 over 6m58s) managed/cognitoidp.aws.upbound.io/v1beta1, kind=userpoolclient cannot resolve references: mg.Spec.ForProvider.UserPoolID: referenced field was empty (referenced resource may not yet be ready)
Warning CannotObserveExternalResource 6s (x9 over 6m41s) managed/cognitoidp.aws.upbound.io/v1beta1, kind=userpoolclient cannot run refresh: refresh failed: reading Amazon Cognito IDP (Identity Provider) User Pool Client (): InvalidParameter: 1 validation error(s) found.
- minimum field size of 1, DescribeUserPoolClientInput.ClientId. NOTE: The UserPool is healthy. |
Which provider version are you using? |
I am using xpkg.upbound.io/upbound/provider-aws:v0.37.0 |
I just tried the example you gave and it works fine in v0.38.0, there may be a problem with your environment, you can check following:
|
This is still an issue in the latest version of the provider. I believe #1021 will fix it. |
What happened?
Creating a Cognito UserPoolClient for a UserPool fails. The resource passes validation successfully when being applied, but the client is never created. When checking the status of the resource, I get the following result:
How can we reproduce it?
Create a UserPool:
Then create the UserPoolClient:
Then check UserPoolStatus:
Which prints the error mentioned in the problem description above.
When checking the AWS console for the UserPool, the UserPoolClient is never created.
What environment did it happen in?
The text was updated successfully, but these errors were encountered: