New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS Events - Cognito User Pool Triggers fail to deploy #6593
Comments
Hey @zacharywenner thanks for opening 👍 I just tested this today and couldn't reproduce the problem. Here's the service I've used: service: test-${self:custom.idx}
provider:
name: aws
runtime: nodejs10.x
versionFunctions: false
region: eu-central-1
stage: dev
custom:
idx: 0
COGNITO_POOL: TestPool
functions:
preSignUp:
handler: functions/handler.handler
events:
- cognitoUserPool:
pool: ${self:custom.COGNITO_POOL}
trigger: PreSignUp
existing: true
migrateUser:
handler: functions/handler.handler
events:
- cognitoUserPool:
pool: ${self:custom.COGNITO_POOL}
trigger: UserMigration
existing: true
postConfirmation:
handler: functions/handler.handler
events:
- cognitoUserPool:
pool: ${self:custom.COGNITO_POOL}
trigger: PostConfirmation
existing: true Could you update your Serverless Framework version and test again? We've shipped quite some fixes in the past (including fixes for the |
Thanks!!! Perfect. |
Hi there, I am experiencing a similar issue on MacOS: ~/Test-Cognito via ⬢ v12.12.0 took 4m 28s
➜ sls -v
Framework Core: 1.59.3
Plugin: 3.2.5
SDK: 2.2.1
Components Core: 1.1.2
Components CLI: 1.4.0 Serverless: Operation failed!
Serverless: View the full error output: https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aeu-central-1%3Axxxxxx%3Astack%2FTestCognitoTriggers-dev%2F8fb29640-1a90-11ea-98f1-0234c67787da
Serverless Error ---------------------------------------
An error occurred: SignUp2CustomCognitoUserPool1 - Failed to create resource. User: arn:aws:sts::xxxxxxx:assumed-role/TestCognitoTriggers-dev-IamRoleCustomResourcesLamb-1QB91PFWRLPIJ/TestCognitoTriggers-dev-custom-resource-existing-cup is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxx:role/wazifa0a84a872_sns-role-dev See details in CloudWatch Log: 2019/12/09/[$LATEST]b120bcd6f8b74dc5a582ce6c9175d1ea. service: TestCognitoTriggers
provider:
name: aws
runtime: nodejs12.x
stage: dev
region: eu-central-1
versionFunctions: false
custom:
COGNITO_POOL: <an-exisiting-user-pool-name>
functions:
SignUp2:
handler: handler.SignUp
events:
- cognitoUserPool:
pool: ${self:custom.COGNITO_POOL}
trigger: PreSignUp
existing: true
I have updated serverless but still getting this error :( |
Update: |
@ghariosk That might have been related to my issue too. I created the user pool with aws-amplify. |
Hello , i am having the same issue without amplify, and i tried even to delete my whole cloudformation stack , and my user-pool, it had been created via serverless framework like i show in the yml below:
here is the error:
yml necessary details:
|
⊂◉‿◉つ I just ran into this as well. When removing the stack:
I had the manually delete the stack and re-deploy. It also seems like there *might be a race condition with the creation of these custom resources & when the permissions get attached to the lambda functions with Aside, the reason I was removing the deploy was an error from After re-deploying the stack, everything works no lambda permission issue. I might try to use |
I'm running into this problem. I don't understand why it's creating a lambda with a weird, non-controlled name that I can't set or specify. All I want is to set an existing cognito user pool, but it seems to want to do more than that, but create a lambda and I've got a highly controlled deployment role and this lambda is not in that list. Whats the purpose of this lambda and can I avoid creating it? |
Hey @christhomas - the Lambda that is created is needed for backing the CloudFormation Custom Resource that is used for managing the attachment of the trigger handlers to the Cognito User Pool - unfortunately, there is no native CloudFormation resource that allows to configure it if the user pool already exists and we need to do it via SDK calls that are performed by this Custom Resource. You cannot avoid it if you want to use an already existing User Pool - you can see explanation in the docs as well: https://www.serverless.com/framework/docs/providers/aws/events/cognito-user-pool#using-existing-pools |
I've been looking into this and I think it's a mistake that attaching a lambda to a cognito user pool creates the user pool. If you want to attach a lambda to that pool the user should create the pool, then this is merely just attaching A to B. No need for a custom lambda or any other logic. If you think about it, a user pool is quite a considerably important resource. It should be managed in responsible way, not created as a by-product of attaching a lambda. Then the issue becomes easy. You take the Id and you just attach it. If it doesn't exist, surely the CF template will fail and the stack will roll back. I honestly think this is way more complicated tahn it needs to be and if I specify existing:true, then it should just attach or fail. That is how you test for it's existence. Whether attaching succeeds or fails. Doesn't that make more sense? |
Surely I can create a CF template which attaches a lambda to any cognito user pool just by Id and I don't need a lambda to check it's existence first? If it fails, then it's my problem and I have to fix that. Or is that just not possible to do? |
sorry, I moved my comments to the discussion if you prefer to comment there: #10917 |
No worries @christhomas - I've responded in the discussion |
Also ran into this issue today: $ sls -v
Running "serverless" from node_modules
Framework Core: 3.31.0 (local) 3.30.1 (global)
Plugin: 6.2.3
SDK: 4.3.2 Basically, I was just trying to rename the function. functions:
cognitoEvents: # renamed from cognito
handler: app/CognitoHandler.php
events:
- cognitoUserPool:
pool: <existing-pool-name>
trigger: PostConfirmation
existing: true The error:
The user pool was deployed through a separate serverless.yml config file. I'm also using |
This is a Bug Report
Description
What went wrong?
I tried to deploy Cognito Triggers on 1.50.0. The error I'm getting related to PreSignUp: "is not authorized to perform: iam:PassRole on resource". In 1.49.0 it deploys correctly however I need to include a UserMigration trigger and this is only available in 1.50.0. I am deploying with full Admin privileges.
What did you expect should have happened?
Deploy all
What was the config you used?
Similar or dependent issues:
https://forum.serverless.com/t/deploy-failed-when-existing-user-pool-triggered-function-is-removed/9135/2
Additional Data
The text was updated successfully, but these errors were encountered: