AWS Cognito - Enabling MFA | Error: MFA cannot be turned off if an SMS role is configured

Question

Im trying to enable MFA for an existing AWS Cognito user pool. Im editing the user-pool configuration, but trying to save the new configuration results in a MFA cannot be turned off if an SMS role is configured error (see picture). I don't understand that error message, and Google is no help.

Question: What am I do wrong, how can I enable MFA for an existing user pool?

Answer 1

Go to IAM and make sure you didn't accidently created an SMS role. Under the step :

You must provide a role to allow Amazon Cognito to send SMS messages

If you press Create Role then this will generate the error you mentioned. I guess in order to continue you need to properly configure your SMS.

To solve this issue I had to remove an SMS role (IAM) linked to my Users Pool.

So by removing the SMS role I was able to continue the creation of the new User Pool.

You can do that by signing to your console. Go to IAM on the left side under the dashboard go to Roles. Select from the list the SMS role associated to your User pool and delete it.

Answer 2

The SNSRole is added automatically, can't be changed by any available parameter and can't be modified later. The current workaround is to manually modify the yaml configuration and remove that part.

• amplify add auth
• go through all the config
• open the file backend/auth/<name>/<name>-cloudformation-template.yml
• remove SNSRole row in Resources and SmsConfiguration in Resources > UserPool > Properties
• amplify push

from: https://github.com/aws-amplify/amplify-js/issues/2906