I am trying to build a CloudFormation script that sets up a Cognito User Pool and configures it to use a custom email for sending users their validation code in the signup process (i.e. FROM: [email protected]).
I am getting this error when executing my AWS CloudFormation script:
"ResourceStatusReason": "Cognito is not allowed to use your email identity (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidEmailRoleAccessPolicyException;
I have attached a Policy for Cognito to use my SES email identity e.g. [email protected]. I have manually setup and validated this email identity in SES prior to running CloudFormation script.
Here is my CloudFormation configuration for the policy to allow Cognito to send emails on my behalf e.g. From [email protected]:
CognitoSESPolicy:
Type: AWS::IAM::ManagedPolicy
Description: "Allow Cognito the send email on behalf of email identity (e.g. [email protected])"
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: "ucstmnt0001"
Effect: "Allow"
Action:
- "ses:SendEmail"
- "ses:SendRawEmail"
Resource: !FindInMap [ environment, !Ref "Environment", emailARN ]
SESRole:
Type: AWS::IAM::Role
Description: "An IAM Role to allow Cognito to send email on behalf of email identity"
Properties:
RoleName: uc-cognito-ses-role
ManagedPolicyArns:
- Ref: CognitoSESPolicy
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
Service:
- cognito-idp.amazonaws.com
DependsOn: CognitoSESPolicy
I am not sure what I am doing wrong here...
aws_cognito_user_pool_client (Terraform) The User Pool Client in Amazon Cognito can be configured in Terraform with the resource name aws_cognito_user_pool_client . The following sections describe 3 examples of how to use the resource and its parameters.
ADMIN_NO_SRP_AUTH : Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is enabled for calling the app client. ADMIN_USER_PASSWORD_AUTH : Admin-based user password authentication. This replaces the ADMIN_NO_SRP_AUTH authentication flow.
A unique resource server identifier for the resource server. This could be an HTTPS endpoint where the resource server is located. For example: https://my-weather-api.example.com .
A User Pool Client resource represents an Amazon Cognito User Pool Client that provides a way to generate authentication tokens used to authorize a user for an application. Configuring a User Pool Client then connecting it to a User Pool will generate to a User Pool client ID.
Answering my own question for others' benefit. AWS SES has its own managed identity for emails, requiring a user to verify ownership of the email before it can be used by other AWS services. My solution was to manually setup the SES email account using AWS portal, verify the email account, then reference the ARN for the identity created in SES for email in my CloudFormation script. Maybe AWS will have a way in the future to create SES identity via CloudFormation scripts, but at this time it seems that manual process is required for initial setup.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With