Creating an IAM service role to allow Amazon Cognito to send SMS messages for MFA

Question

I'm trying to setup Congito to manage my user pool and setup phone verification. Unforunately, the AWS docs seem out of date.

According to this doc, I should see a create IAM role button on my coginto page, but it isn't there: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html

I am guessing they removed the option, but I also don't see a way to manually create the proper role. Cognito isn't listed as one of the services you can create role for.

There is a Web identity tab in the above image, so I tried to use that. Sure enough, there is an option to create a role, and even give it the SNS access needed to send SMS, but it isn't a service role. The ARN that is generated does not have the /service-role/ path that the first image has. I can't figure out any way to change the arn to include it and if I just try to run my application without it, I still get the error message:

[00:20:30] error signing up Object { [00:20:30] "code": "InvalidSmsRoleTrustRelationshipException", [00:20:30] "message": "Role does not have a trust relationship allowing Cognito to assume the role", [00:20:30] "name": "InvalidSmsRoleTrustRelationshipException", [00:20:30] }

Is Cognito broken right now?? I'm sure I'm missing something...

Answer 1

I've just had a try and I get the "create role" button, but looking at your UI you've already created the role, at which point AWS hides it and just shows the arn of the role that's been created.

That said, if you need to re-create it from scratch for whatever reason, you can do so; however you'll have to leave the visual editor. The easiest way to assign whatever to the trust relationship page, and then once the role has been created, select it, switch to the Trust Relationships tab, press Edit Trust Relationship and then replace the json with the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "cognito-idp.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "generate-your-own-uuid-here"
        }
      }
    }
  ]
}

n.b. for completeness the inline policy for the role should also be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:publish"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}