Adding Social Sign In via amplify auth update causes error HostedUIProvidersCustomResourceInputs (Custom::LambdaCallout) while amplify push

[iwishApp]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

11.0.5

What operating system are you using?

MacOS Ventura 13.4

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes.

Describe the bug

    Problem happens when trying to add Social Sign In to existing amplify auth(via email).
    1	Updating auth in CLI via amplify update auth. 
Followed the steps mentioned in the reproduction steps.
2	Applying change to cloud via amplify push . 
Facing Error over here:

    3. Some problem when making changes and deploying via Amplify Studio.

Expected behavior

I want to configure Sign in with Apple for project with existing Cognito email auth.

Reproduction steps

1 Updating auth via amplify update auth
• What do you want to do? Update OAuth social providers
• Select the identity providers you want to configure for your user pool: Sign in with Apple
• Enter your Services ID for your OAuth flow: com.myapp.myapp.sid
• Enter your Team ID for your OAuth flow: ****
• Enter your Key ID for your OAuth flow: ****
• Enter your Private Key for your OAuth flow: *****
Note: For the Private key I am entering key from .p8 file by removing -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY-----, \n, space at the end of line and pasting main private key in single line.

2 Applying change to cloud via amplify push
Produced error mentioned above

Project Identifier

No response

Log output

# Put your logs below this line
CloudWatch logs:


START RequestId: 982fa895-bdae-48db-b16a-d55e05d84adc Version: $LATEST
--
  | 2023-09-19T16:59:57.399+02:00Copy2023-09-19T14:59:57.399Z	982fa895-bdae-48db-b16a-d55e05d84adc	INFO	{  '$metadata': {    httpStatusCode: 200,    requestId: '9a35dcdc-a4b7-4c94-b2d1-3b390d332f8d',    extendedRequestId: undefined,    cfId: undefined,    attempts: 1,    totalRetryDelay: 0  },  NextToken: undefined,  Providers: []} | 2023-09-19T14:59:57.399Z 982fa895-bdae-48db-b16a-d55e05d84adc INFO { '$metadata': { httpStatusCode: 200, requestId: '9a35dcdc-a4b7-4c94-b2d1-3b390d332f8d', extendedRequestId: undefined, cfId: undefined, attempts: 1, totalRetryDelay: 0 }, NextToken: undefined, Providers: [] }

  | 2023-09-19T16:59:57.912+02:00Copy2023-09-19T14:59:57.912Z	982fa895-bdae-48db-b16a-d55e05d84adc	INFO	InternalErrorException: Internal server error.    at deserializeAws_json1_1InternalErrorExceptionResponse (/var/runtime/node_modules/@aws-sdk/client-cognito-identity-provider/dist-cjs/protocols/Aws_json1_1.js:6611:23)    at deserializeAws_json1_1CreateIdentityProviderCommandError (/var/runtime/node_modules/@aws-sdk/client-cognito-identity-provider/dist-cjs/protocols/Aws_json1_1.js:2933:25)    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)    at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24    at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:13:20    at async StandardRetryStrategy.retry (/var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22    at async createIdentityProvider (/var/task/index.js:96:3)    at async handleEvent (/var/task/index.js:45:9)    at async tryHandleEvent (/var/task/index.js:18:5) 

| 2023-09-19T14:59:57.912Z 982fa895-bdae-48db-b16a-d55e05d84adc INFO InternalErrorException: Internal server error. at deserializeAws_json1_1InternalErrorExceptionResponse (/var/runtime/node_modules/@aws-sdk/client-cognito-identity-provider/dist-cjs/protocols/Aws_json1_1.js:6611:23) at deserializeAws_json1_1CreateIdentityProviderCommandError (/var/runtime/node_modules/@aws-sdk/client-cognito-identity-provider/dist-cjs/protocols/Aws_json1_1.js:2933:25) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24 at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:13:20 at async StandardRetryStrategy.retry (/var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46) at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22 at async createIdentityProvider (/var/task/index.js:96:3) at async handleEvent (/var/task/index.js:45:9) at async tryHandleEvent (/var/task/index.js:18:5)
 
 | 2023-09-19T16:59:57.913+02:00Copy2023-09-19T14:59:57.913Z	982fa895-bdae-48db-b16a-d55e05d84adc	INFO	Response body: {     "Status": "FAILED",     "Reason": "See the details in CloudWatch Log Stream: 2023/09/19/[$LATEST]eea0653fcf1d48a5954fd46c6baebff3",     "PhysicalResourceId": "2023/09/19/[$LATEST]eea0653fcf1d48a5954fd46c6baebff3",     "StackId": "arn:aws:cloudformation:eu-west-1:993068180123:stack/amplify-myapp-dev-194207-authMyapp-S93XOTYMCSM9/5394f7c0-1434-1111-bc7d-0ae49c1c6289",     "RequestId": "cc7b8d13-d58a-4835-82a0-9ae1c7a83a7a",     "LogicalResourceId": "HostedUIProvidersCustomResourceInputs",     "NoEcho": false,     "Data": {         "err": {             "name": "InternalErrorException",             "$fault": "server",             "$metadata": {                 "httpStatusCode": 500,                 "requestId": "e7a263d8-3a77-469d-9cc6-8481a69d4184",                 "attempts": 3,                 "totalRetryDelay": 188             },             "__type": "InternalErrorException"         }     } } 

| 2023-09-19T14:59:57.913Z 982fa895-bdae-48db-b16a-d55e05d84adc INFO Response body: {"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2023/09/19/[$LATEST]eea0653fcf1d48a5954fd46c6baebff3","PhysicalResourceId":"2023/09/19/[$LATEST]eea0653fcf1d48a5954fd46c6baebff3","StackId":"arn:aws:cloudformation:eu-west-1:993068180123:stack/amplify-myapp-dev-11111-authMyApp-S93XOTYMCSM9/5394f7c0-1434-11ed-bc7d-0ae49c1c6289","RequestId":"cc7b8d13-d58a-4835-82a0-9ae1c7a83a7a","LogicalResourceId":"HostedUIProvidersCustomResourceInputs","NoEcho":false,"Data":{"err":{"name":"InternalErrorException","$fault":"server","$metadata":{"httpStatusCode":500,"requestId":"e7a263d8-3a77-469d-9cc6-8481a69d4184","attempts":3,"totalRetryDelay":188},"__type":"InternalErrorException"}}}
  | 2023-09-19T16:59:58.080+02:00Copy2023-09-19T14:59:58.080Z	982fa895-bdae-48db-b16a-d55e05d84adc	INFO	Status code: 200 | 2023-09-19T14:59:58.080Z 982fa895-bdae-48db-b16a-d55e05d84adc INFO Status code: 200
  | 2023-09-19T16:59:58.080+02:00 | 2023-09-19T14:59:58.080Z 982fa895-bdae-48db-b16a-d55e05d84adc INFO Status message: OK

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[josefaidt]

Hey @iwishApp 👋 thanks for raising this! We've made a few enhancements and fixes around auth in later versions of the CLI. If you upgrade to the latest CLI (12.4.0 at the time of writing) do you still encounter this error?

[iwishApp]

Upgraded to 12.4.0. Error still there:

Cloudwatch logs:

2023-09-19T20:23:08.976+02:00	INIT_START Runtime Version: nodejs:18.v12 Runtime Version ARN: arn:aws:lambda:eu-west-1::runtime:0bdff101a7b4e0589af824f244deb93200e4663c2a8d7d0148b76cd00c48777a
	2023-09-19T20:23:09.505+02:00
	2023-09-19T20:23:10.117+02:00Copy2023-09-19T18:23:10.117Z 534005fe-fc56-4536-a131-21a2533f0af1 INFO { '$metadata': { httpStatusCode: 200, requestId: '4c23a98a-5551-4951-830c-e7ff4669d565', extendedRequestId: undefined, cfId: undefined, attempts: 1, totalRetryDelay: 0 }, NextToken: undefined, Providers: []}
	2023-09-19T20:23:10.894+02:00
	2023-09-19T20:23:10.896+02:00Copy2023-09-19T18:23:10.896Z 534005fe-fc56-4536-a131-21a2533f0af1 INFO Response body: { "Status": "FAILED", "Reason": "See the details in CloudWatch Log Stream: 2023/09/19/[$LATEST]67d089b98a0b40b988520f886cbd5e4b", "PhysicalResourceId": "2023/09/19/[$LATEST]67d089b98a0b40b988520f886cbd5e4b", "StackId": "arn:aws:cloudformation:eu-west-1:993068180123:stack/amplify-myapp-dev-1111-authMyApp-S93XOTYMCSM9/5394f7c0-1111-11ed-bc7d-0ae49c1c6289", "RequestId": "e29a04c5-2b25-4a2c-a043-df63fd2e503e", "LogicalResourceId": "HostedUIProvidersCustomResourceInputs", "NoEcho": false, "Data": { "err": { "name": "InternalErrorException", "$fault": "server", "$metadata": { "httpStatusCode": 500, "requestId": "1bbafeaf-2559-4b3d-b066-ec5d0cc9f698", "attempts": 3, "totalRetryDelay": 547 }, "__type": "InternalErrorException" } } }
	2023-09-19T20:23:11.026+02:00
	2023-09-19T20:23:11.026+02:00
	2023-09-19T20:23:11.038+02:00
	2023-09-19T20:23:11.038+02:00
	2023-09-19T20:23:38.714+02:00
	2023-09-19T20:23:38.715+02:00Copy2023-09-19T18:23:38.715Z 183569d2-c640-4bf8-ace4-992e86e25031 INFO Response body: { "Status": "SUCCESS", "Reason": "See the details in CloudWatch Log Stream: 2023/09/19/[$LATEST]67d089b98a0b40b988520f886cbd5e4b", "PhysicalResourceId": "2023/09/19/[$LATEST]67d089b98a0b40b988520f886cbd5e4b", "StackId": "arn:aws:cloudformation:eu-west-1:993068180123:stack/amplify-myapp-dev-11111-authMyApp-S93XOTYMCSM9/5394f7c0-1111-11ed-bc7d-0ae49c1c6289", "RequestId": "3774ef31-3469-411c-b7e8-e70d91047619", "LogicalResourceId": "HostedUIProvidersCustomResourceInputs", "NoEcho": false, "Data": {} }

[iwishApp]

We use Email as login mechanism. Now we want to add Apple Sign In.
Probably the issue is connected with this one: aws-amplify/amplify-studio#792 (comment)
but I'm not sure where is proper .json file from which I can build a proper payload with"requiredSignupAttributes": ["EMAIL"] and test it.

If I add Social Sign In via Amplify Studio, I cannot choose Email from drop down list.

However our logic doesn't require "email", we had "requiredAttributes": [], before adding Sign In with apple.
So probably doesn't make impact. I have already tried both options (empty array and "email"), with empty array it throws:
"HostedUIProvidersCustomResourceInputs (Custom::LambdaCallout), Event Type: create, Reason: Received response status [FAILED] from custom resource"
"requiredAttributes": ["email"] it throws:
"Invalid AttributeDataType input, consider using the provided AttributeDataType enum." I guess it is because original set up of this user pool does not require any attributes and this cannot be changed for this pool.

[josefaidt]

Hey @iwishApp thanks for clarifying! How was this user pool originally configured (e.g. "default" config with email as login mechanism)? Do you recall which version of the CLI was used when creating it?

[ykethan]

@josefaidt I was able to run into the issue when running the following

 Do you want to use the default authentication and security configuration? Manual configuration
 Select the authentication/authorization services that you want to use: User Sign-Up, Sign-In, connected with AWS IAM controls (Enables per-user Storage features for images or other content, Analytics, and more)
 Provide a friendly name for your resource that will be used to label this category in the project: capplefail17691a5a17691a5a
 Enter a name for your identity pool. capplefail17691a5a_identitypool_17691a5a
 Allow unauthenticated logins? (Provides scoped down permissions that you can control via AWS IAM) No
 Do you want to enable 3rd party authentication providers in your identity pool? No
 Provide a name for your user pool: capplefail17691a5a_userpool_17691a5a
 Warning: you will not be able to edit these selections. 
 How do you want users to be able to sign in? Username
 Do you want to add User Pool Groups? No
 Do you want to add an admin queries API? No
 Multifactor authentication (MFA) user login options: OFF
 Email based user registration/forgot password: Enabled (Requires per-user email entry at registration)
 Specify an email verification subject: Your verification code
 Specify an email verification message: Your verification code is {####}
 Do you want to override the default password policy for this User Pool? No
 Warning: you will not be able to edit these selections. 
 What attributes are required for signing up? 
 Specify the app's refresh token expiration period (in days): 30
 Do you want to specify the user attributes this app can read and write? No
 Do you want to enable any of the following capabilities? 
 Do you want to use an OAuth flow? Yes
 What domain name prefix do you want to use? capplefail17691a5a-17691a5a
 Enter your redirect signin URI: http://localhost:3000/
? Do you want to add another redirect signin URI No
 Enter your redirect signout URI: http://localhost:3000/
? Do you want to add another redirect signout URI No
 Select the OAuth flows enabled for this project. Authorization code grant
 Select the OAuth scopes enabled for this project. OpenID, Profile, aws.cognito.signin.user.admin
 Select the social providers you want to configure for your user pool: Sign in with Apple
  
 You've opted to allow users to authenticate via Sign in with Apple. If you haven't already, you'll need to go to https://developer.apple.com/account/#/welcome and configure Sign in with Apple. 
 
 Enter your Services ID for your OAuth flow:  com.fake.app
 Enter your Team ID for your OAuth flow: 
 Enter your Key ID for your OAuth flow: 
 Enter your Private Key for your OAuth flow (entire key without line breaks):  -------BEGIN PRIVATE KEY-----<your - key>-----END PRIVATE KEY-----

For What attributes are required for signing up? remove email selection.

[iwishApp]

Hey @iwishApp thanks for clarifying! How was this user pool originally configured (e.g. "default" config with email as login mechanism)? Do you recall which version of the CLI was used when creating it?

Probably it was CLI v. 9.2.0 or 9.2.1 at the moment of Auth deployment.

backend-config.json

"auth": {
    "MyAppName": {
      "customAuth": false,
      "dependsOn": [],
      "frontendAuthConfig": {
        "mfaConfiguration": "OFF",
        "mfaTypes": [
          "SMS"
        ],
        "passwordProtectionSettings": {
          "passwordPolicyCharacters": [],
          "passwordPolicyMinLength": 8
        },
        "signupAttributes": [],
        "socialProviders": [],
        "usernameAttributes": [
          "EMAIL"
        ],
        "verificationMechanisms": [
          "EMAIL"
        ]
      },
      "providerPlugin": "awscloudformation",
      "service": "Cognito"
    }
  }


cli-inputs.json

{
  "version": "1",
  "cognitoConfig": {
    "identityPoolName": "testAuthIdentityPool",
    "allowUnauthenticatedIdentities": true,
    "resourceNameTruncated": "MyAppName045e50a",
    "userPoolName": "MyAppName",
    "autoVerifiedAttributes": [
      "email"
    ],
    "mfaConfiguration": "OFF",
    "mfaTypes": [
      "SMS Text Message"
    ],
    "smsAuthenticationMessage": "Your authentication code is {####}",
    "smsVerificationMessage": "Your verification code is {####}",
    "emailVerificationSubject": "MyAppName verification code",
    "emailVerificationMessage": "Your verification code is {####}",
    "defaultPasswordPolicy": false,
    "passwordPolicyMinLength": 8,
    "passwordPolicyCharacters": [],
    "requiredAttributes": [],
    "aliasAttributes": [],
    "userpoolClientGenerateSecret": false,
    "userpoolClientRefreshTokenValidity": 30,
    "userpoolClientWriteAttributes": [],
    "userpoolClientReadAttributes": [],
    "userpoolClientLambdaRole": "MyAppName5e50a_userpoolclient_lambda_role",
    "userpoolClientSetAttributes": false,
    "sharedId": "5e50a",
    "resourceName": "MyAppName",
    "authSelections": "identityPoolAndUserPool",
    "serviceName": "Cognito",
    "usernameAttributes": [
      "email"
    ],
    "useDefault": "manual",
    "userPoolGroups": false,
    "userPoolGroupList": [],
    "adminQueries": false,
    "thirdPartyAuth": false,
    "authProviders": [],
    "usernameCaseSensitive": false,
    "useEnabledMfas": true,
    "authRoleArn": {
      "Fn::GetAtt": [
        "AuthRole",
        "Arn"
      ]
    },
    "unauthRoleArn": {
      "Fn::GetAtt": [
        "UnauthRole",
        "Arn"
      ]
    },
    "breakCircularDependency": true,
    "dependsOn": []
  }
}

I have non-stop spinning activity indicator in the Authentication section in AWS Amplify web portal:

Console:

It seems that during the auth updates my app's identity pool was somehow deleted /destroyed . I didn't touch it myself. The UserPool still exists.

[josefaidt]

Hey @iwishApp would you mind posting the project ID output from amplify diagnose --send-report? Do you have analytics in your project by chance?

[iwishApp]

Hey @iwishApp would you mind posting the project ID output from amplify diagnose --send-report? Do you have analytics in your project by chance?

ID 4986c94d24ca7c5f303272240a6d0801
What kind of analytics? If you mean AWS Pinpoint, then we have some basic set up.

[josefaidt]

Hey @iwishApp was email manually removed from the requiredAttributes list? Unfortunately after a Cognito User Pool is created you cannot modify whether the attribute is required

After you create a user pool, you can't switch an attribute between required and not required.
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

Is this a production environment? There is a trigger to migrate users, however this migration will also entail updating any records stored in DynamoDB if you are currently using owner auth rules in your GraphQL schema

[josefaidt]

Hey @iwishApp I wanted to follow-up on this issue and see if you're still experiencing this?

[iwishApp]

Hello, I ended up by resetting dev environment.

[ykethan]

@iwishApp thank you for the confirmation. Closing this issue for now, please feel free in reaching out to us if you require any assistance.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[amitchaudhary140]

@josefaidt I still face this issue. Tried creating auth from scratch and just Signin with apple creates problem. Can't deploy from studio or cli.