Google Resource Test Fails about aws-cognito-apigw-angular-auth HOT 6 CLOSED

Can you confirm you redeployed your API after you reset the CORS configuration? Unfortunately I could not replicate the problem.

from aws-cognito-apigw-angular-auth.

Actually taking another look, this is not a CORS error. It's related to permissions, I suggest to enable logging in APIGW to understand the issue. Can you double check the Auth IAM role cognito is using has access to the /google path?

from aws-cognito-apigw-angular-auth.

IAM role cognito is using has access to goolge path. I tried to to enable cloudwatch in APIGW but it keeps failing with error " The role ARN does not have required permissions set to API Gateway". This happens when I try to add the ARN of the following role to the APIGW under setting. Below are the my role and policy details. What am I missing?

1. Attached "AmazonAPIGatewayPushToCloudWatchLogs" policy under managed policies of the role under permissions tab.
2. In policy on the same tab has the following text:
   {
   "Version": "2012-10-17",
   "Statement": [
   {
   "Action": [
   "execute-api:Invoke",
   "logs:"
   ],
   "Resource": [
   "arn:aws:execute-api:ap-south-1:xxxxx//GET/google",
   "arn:aws:execute-api:ap-south-1:xxxxx//POST/google",
   "arn:aws:logs:::"
   ],
   "Effect": "Allow"
   }
   ]
   }
3. And the trust policy under trust relationships tab has the following text
   {
   "Version": "2012-10-17",
   "Statement": [
   {
   "Sid": "",
   "Effect": "Allow",
   "Principal": {
   "Service": "apigateway.amazonaws.com",
   "Federated": "cognito-identity.amazonaws.com"
   },
   "Action": [
   "sts:AssumeRoleWithWebIdentity",
   "sts:AssumeRole"
   ],
   "Condition": {
   "StringEquals": {
   "cognito-identity.amazonaws.com:aud": "ap-south-1:xxxxxx"
   },
   "ForAnyValue:StringLike": {
   "cognito-identity.amazonaws.com:amr": "authenticated"
   }
   }
   }
   ]
   }

Could you please assist? Thanks

from aws-cognito-apigw-angular-auth.

Unfortunately I still cannot replicate, I was presenting on the AWS Dev Day in Melbourne yesterday and confirmed with some other developers it worked fine in their own account.

Might be a problem with permissions when the stack was created. Can you confirm it still happens if you delete the stack and create a new one following the instructions? Does the user running the cloudformation commands has permissions to create all resources?

Can you also confirm you performed the steps 5 to 7 from the README file and added the Google app ID to the Cognito Identity Pool?

from aws-cognito-apigw-angular-auth.

Also create a separate role for the API Gateway logs, here are some instructions https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/ and http://docs.aws.amazon.com/apigateway/latest/developerguide/stages.html#how-to-stage-settings-console (Item 6)

from aws-cognito-apigw-angular-auth.

Closing this one as I was not able to reproduce

from aws-cognito-apigw-angular-auth.