Amplify gen 2: lambda mutation `No federated jwt` error

I have an Amplify app using Cognito for userpool authentication. Once a user has signed up and used the code sent via email (all Cognito functionality), they are passed to a custom form where additional information is captured. On submit a lambda function is executed that should:

Create a group in Cognito
Add the user to the group
Create a record in a DynamoDB table and use the group name created in step 1. in a "writeGroups" fields referenced in the schema for allow.groupsDefinedIn('writeGroups')

The lambda function deploys nicely as part of my sandbox, and permissions have been granted for allow.resource(createAccount).to(["manageGroups", "addUserToGroup", "manageGroupMembership"]) as well as modifying DynamoDB data. However as soon as either CognitoIdentityProviderClient or await client.models.User.create(user) are hit, I get the following error from Graphql API No federated jwt. Example of code used:

const user = {
  userId: userId,
  ...
};
const { data, errors} = await client.models.User.create(user);   <-- `No federated jwt` error thrown here

const cognitoClient = new CognitoIdentityProviderClient();
const userGroup = {
  GroupName: `GroupName`,
  Precedence: 1,
  Description: `Description`,
  UserPoolId: userPoolId,
};
const createCommand = new CreateGroupCommand(userGroup);
const response = await cognitoClient.send(createCommand );    <-- `No federated jwt` error thrown here

The examples in the Amplify Gen 2 documentation don't cover this scenario. What am I missing?

Topics

Serverless Compute Front-End Web & Mobile Security, Identity, & Compliance Database

Tags

AWS Lambda AWS Amplify Amazon Cognito Amazon DynamoDB

Language

English

Jonny

asked a month ago486 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

Cognito issue: Use the following package which uses the IAM credentials that the function has:

const cognito = new AWS.CognitoIdentityServiceProvider();

const readGroup = {
    Description: `Read group for ${clientName}`,
    GroupName: `Read-${clientAccountId}`,
    Precedence: 2,
    UserPoolId: userPoolId,
  };

const newGroup: AWS.CognitoIdentityServiceProvider.CreateGroupResponse | undefined = await new Promise((resolve, reject) => {
   return cognito.createGroup(readGroup, function (err, data) {
    if (err) {
      throw err;
    } else {
      resolve(data);
    }
  });
});

Graphql / DynamoDB issue: Add the JWT token from the request as a param of the create request:

const authToken = event.request.headers['authorization'] ?? '';

const user = {
  userId: userId,
  ...
};

const { data: updatedUser, errors: userCreateErrors } = await client.models.User.create(
  user,
  {
    authMode: 'identityPool',
    authToken: authToken
  }
);

Jonny

answered a month ago

Relevant content

Cognito verification code emails no longer being sent
rePost-User-2670271
asked 2 years ago
Android Amplify Authentication with AWSMobileClient crashes at User Sign Up
Grg
asked 4 years ago
Amplify gen 2, amplify-authenticator "There is already a signed in user."
Accepted Answer
Jonny
asked 2 months ago
Amplify Gen 2 with existing REST api and cognito
Accepted Answer
CurryLeaf
asked 2 months ago
How do I set up an Application Load Balancer to authenticate users through an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
How do I revoke JWT tokens in Amazon Cognito using the AWS CLI?
AWS OFFICIALUpdated a year ago
How do I use an Amazon Cognito user pool to integrate IAM Identity Center?
AWS OFFICIALUpdated a month ago
How do I set up Google as a federated identity provider in an Amazon Cognito user pool?
AWS OFFICIALUpdated 3 months ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published 5 months ago
How to setup cross-account Cognito User Pool migration with the Migrate User Lambda Trigger
EXPERT
Mitchell Tennison
published 3 months ago