Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS CloudFormation Script Fails - Cognito is not allowed to use your email identity

I am trying to build a CloudFormation script that sets up a Cognito User Pool and configures it to use a custom email for sending users their validation code in the signup process (i.e. FROM: [email protected]).

I am getting this error when executing my AWS CloudFormation script:

"ResourceStatusReason": "Cognito is not allowed to use your email identity (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidEmailRoleAccessPolicyException; 

I have attached a Policy for Cognito to use my SES email identity e.g. [email protected]. I have manually setup and validated this email identity in SES prior to running CloudFormation script.

Here is my CloudFormation configuration for the policy to allow Cognito to send emails on my behalf e.g. From [email protected]:

  CognitoSESPolicy:
    Type: AWS::IAM::ManagedPolicy
    Description: "Allow Cognito the send email on behalf of email identity (e.g. [email protected])"
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Sid: "ucstmnt0001"
          Effect: "Allow"
          Action:
          - "ses:SendEmail"
          - "ses:SendRawEmail"
          Resource: !FindInMap [ environment, !Ref "Environment", emailARN ]

  SESRole:
    Type: AWS::IAM::Role
    Description: "An IAM Role to allow Cognito to send email on behalf of email identity"
    Properties:
      RoleName: uc-cognito-ses-role
      ManagedPolicyArns:
        - Ref: CognitoSESPolicy
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - sts:AssumeRole
            Principal:
              Service:
              - cognito-idp.amazonaws.com
    DependsOn: CognitoSESPolicy

I am not sure what I am doing wrong here...

like image 940
jzeron Avatar asked Nov 17 '18 06:11

jzeron


People also ask

What is AWS_ Cognito_ user_ pool_ client?

aws_cognito_user_pool_client (Terraform) The User Pool Client in Amazon Cognito can be configured in Terraform with the resource name aws_cognito_user_pool_client . The following sections describe 3 examples of how to use the resource and its parameters.

What is Admin_no_srp_auth?

ADMIN_NO_SRP_AUTH : Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is enabled for calling the app client. ADMIN_USER_PASSWORD_AUTH : Admin-based user password authentication. This replaces the ADMIN_NO_SRP_AUTH authentication flow.

What is Userpoolresourceserver?

A unique resource server identifier for the resource server. This could be an HTTPS endpoint where the resource server is located. For example: https://my-weather-api.example.com .

What is user pool client?

A User Pool Client resource represents an Amazon Cognito User Pool Client that provides a way to generate authentication tokens used to authorize a user for an application. Configuring a User Pool Client then connecting it to a User Pool will generate to a User Pool client ID.


1 Answers

Answering my own question for others' benefit. AWS SES has its own managed identity for emails, requiring a user to verify ownership of the email before it can be used by other AWS services. My solution was to manually setup the SES email account using AWS portal, verify the email account, then reference the ARN for the identity created in SES for email in my CloudFormation script. Maybe AWS will have a way in the future to create SES identity via CloudFormation scripts, but at this time it seems that manual process is required for initial setup.

like image 191
jzeron Avatar answered Sep 21 '22 00:09

jzeron