Unable to add storage to Amplify app with custom Cognito user pool (using Azure AD IDP)

[sumitsahoo]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Storage

Amplify Version

v6

Amplify Categories

storage

Backend

Amplify CLI

Environment information

 System:
    OS: macOS 14.4
    CPU: (10) arm64 Apple M1 Pro
    Memory: 230.30 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.10.0 - ~/.nvm/versions/node/v20.10.0/bin/node
    npm: 10.2.3 - ~/.nvm/versions/node/v20.10.0/bin/npm
  Browsers:
    Brave Browser: 122.1.63.174
    Chrome: 123.0.6312.59
    Edge: 122.0.2365.92
    Safari: 17.4
  npmPackages:
    @aws-amplify/ui-react: ^6.1.6 => 6.1.6 
    @aws-amplify/ui-react-internal:  undefined ()
    @headlessui/react: ^1.7.18 => 1.7.18 
    @heroicons/react: ^2.1.1 => 2.1.1 
    @hookform/resolvers: ^3.3.4 => 3.3.4 
    @hookform/resolvers/ajv:  1.0.0 
    @hookform/resolvers/arktype:  1.0.0 
    @hookform/resolvers/class-validator:  1.0.0 
    @hookform/resolvers/computed-types:  1.0.0 
    @hookform/resolvers/io-ts:  1.0.0 
    @hookform/resolvers/joi:  1.0.0 
    @hookform/resolvers/nope:  1.0.0 
    @hookform/resolvers/superstruct:  1.0.0 
    @hookform/resolvers/typanion:  1.0.0 
    @hookform/resolvers/typebox:  1.0.0 
    @hookform/resolvers/valibot:  1.0.0 
    @hookform/resolvers/vest:  1.0.0 
    @hookform/resolvers/yup:  1.0.0 
    @hookform/resolvers/zod:  1.0.0 
    @reduxjs/toolkit: ^2.2.1 => 2.2.1 
    @reduxjs/toolkit-query:  1.0.0 
    @reduxjs/toolkit-query-react:  1.0.0 
    @reduxjs/toolkit-react:  1.0.0 
    @types/react: ^18.2.43 => 18.2.48 
    @types/react-dom: ^18.2.17 => 18.2.18 
    @vitejs/plugin-react: ^4.2.1 => 4.2.1 
    @zxing/browser: ^0.1.4 => 0.1.4 
    @zxing/library: ^0.20.0 => 0.20.0 
    autoprefixer: ^10.4.17 => 10.4.17 
    aws-amplify: ^6.0.20 => 6.0.20 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    eslint: ^8.55.0 => 8.56.0 
    eslint-config-prettier: ^9.1.0 => 9.1.0 
    eslint-plugin-import: ^2.29.1 => 2.29.1 
    eslint-plugin-react: ^7.33.2 => 7.33.2 
    eslint-plugin-react-hooks: ^4.6.0 => 4.6.0 
    eslint-plugin-react-refresh: ^0.4.5 => 0.4.5 
    moment: ^2.30.1 => 2.30.1 
    postcss: ^8.4.33 => 8.4.33 
    prettier: ^3.2.5 => 3.2.5 
    react: ^18.2.0 => 18.2.0 
    react-barcode: ^1.4.6 => 1.4.6 
    react-dom: ^18.2.0 => 18.2.0 
    react-hook-form: ^7.50.1 => 7.50.1 
    react-qr-code: ^2.0.12 => 2.0.12 
    react-redux: ^9.1.0 => 9.1.0 
    react-router-dom: ^6.22.1 => 6.22.1 
    tailwindcss: ^3.4.1 => 3.4.1 
    vite: ^5.0.8 => 5.0.12 
    vite-plugin-pwa: ^0.17.5 => 0.17.5 
    yup: ^1.3.3 => 1.3.3 
  npmGlobalPackages:
    corepack: 0.22.0
    npm: 10.2.3
    pm2: 5.3.0

Describe the bug

We are unable to add storage into our Amplify app. If you refer aws-amplify/amplify-js#13119, we have set the login using a custom user pool with SAML federated identity provider i.e. Azure AD. We also have defined a Hosted UI with required details and we are now able to login successfully. But when we try to add storage either from Amplify Studio or CLI we get below error message.

Error: Invalid Auth configuration. Your imported Auth resource does not have an identity pool. Please add an identity pool before setting up Storage.

Screenshot:

Amplify Studio:

Amplify CLI:

Expected behavior

Storage should get added without error.

Reproduction steps

1. Create a user pool with SAML provider (Azure AD)
2. Define a client with Hosted UI and add metadata URL from Azure
3. Import the user pool in Amplify as Auth
4. Try to add storage

Code Snippet

amplify add storage

Log output

NA

aws-exports.js

No response

Manual configuration

Amplify.configure({
	Auth: {
		Cognito: {
			userPoolClientId: 'xxxx',
			userPoolId: 'eu-west-1_xxxx',
			loginWith: {
				
				oauth: {
					domain: 'xxxx.amazoncognito.com',
					scopes: ['openid email aws.cognito.signin.user.admin'],
					redirectSignIn: ['http://localhost:5173'],
					redirectSignOut: ['http://localhost:5173'],
					responseType: 'code',
				},
				
			},
		},
	},
	API: {
		GraphQL: {
			endpoint:
				'https://xxxx.eu-west-1.amazonaws.com/graphql',
			region: 'eu-west-1',
			// Set the default auth mode to "userPool"
			defaultAuthMode: 'userPool',
		},
	},
});

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[sumitsahoo]

@israx Created this new bug report

[nadetastic]

Hi @sumitsahoo im going to transfer this over to the CLI repo for better assistance.

[ykethan]

Hey @sumitsahoo, are you importing an Cognito identity pool on amplify import auth? The storage category requires an identity pool on the auth resource to be setup.

[sumitsahoo]

@ykethan Yes I have tried to create and attach the user pool as seen from the screenshot below but no luck. I even tried to remove and then re-add auth after adding the identity pool. Do we have any documentation that I can follow?

[ykethan]

@sumitsahoo thank you for the screenshots, noticed the Guest access/unauthenticated role has not been enabled. Could enable Guest access and re-import the auth user pool and identity pool.

amplify-cli/packages/amplify-category-storage/src/provider-utils/awscloudformation/service-walkthroughs/s3-auth-api.ts

Line 56 in 52aea18

const storageRequirements = { authSelections: 'identityPoolAndUserPool', allowUnauthenticatedIdentities };

[sumitsahoo]

@ykethan Yes you were right. I did not select guest access as we do not have any uses for it. After I added guest access, I can set up storage. Screenshot below. But is this a bug? Do we always have to enable guest access even though we do not need it?

[ykethan]

@sumitsahoo this is currently the expected behavior, if you do not require the unauthenticated access you can configure the role without any policies attached.

[sumitsahoo]

@ykethan Thanks for the help. Closing the case.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.