I have an UserPool provisioned with AWS CDK.
I now noticed that Cognito is sending emails from Cognitop itself which is restricted in rates and amount of emails. They recommend to switch to an SES configuration.
After updating AWS-CDK to version 1.147.0 I was able to configure the UserPool's email settings.
this.userPool = new cognito.UserPool(this, "auth-pool", {
userPoolName: `...`,
...
email: cognito.UserPoolEmail.withSES({
sesRegion: "eu-west-1",
fromEmail: "...",
}),
...
})
I added before calling cdk deploy a verified identity
for the domain
and also for the email no-reply#DOMAIN
I also clicked on the verify link on the received email.
Still I get the following error when I try to deploy the stack changes:
Cognito received the following error from Amazon SES when attempting to send email: Email address is not verified. The following identities failed the check in region
EU-WEST-1: arn:aws:ses:eu-west-1:ACCOUNT:identity/no-reply#DOMAIN
My Stack runs in a different region but as Cognito can also use eu-west-1 (and other regions) I use this for the CDK settings.
Anyone an idea? I configured this manually in the AWS console and it is working :-|
Did you try sending a test email from the domain/email you verified? See end of this tutorial video:
https://www.youtube.com/watch?v=nxXIpPZzMd0
Related
I just started using AWS Cognito in my App, I followed instructions and installed Amplify and created User Pool and Identity pool and set up everything.
I created a signup form and signet up with no problems with Aut.signUp() and confirmed email.
But when I tried logging in I entered my credentials and got NotAuthorizedException, Incorrect username or password.
I am logging in like this:
Auth.signIn(user.Username, user.Password)
.then((res) => {
AsyncStorage.setItem('token', JSON.stringify(user))
.then(res =>{
console.log('saved')
})
.catch(err=>{
console.log(err)
})
No matter what I enter in input fields I get this error. I just started using Amazon AWS and can't really think of a problem
So after a few days of trying to solve this, I found a solution.
In AWS config by default Authentication Flow Type is set to USER_SRP_AUTH
What you need to do is in your AWS config put:
authenticationFlowType: 'USER_PASSWORD_AUTH',
And then go to amazon cognito panel -> user pool - > app clients - >show details -> Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH).
I'm working on an ASP.NET Core project that will be deployed to AWS. Recently the client came back and requested to pull a few values from AWS SecretsManager. I'm using the permissions inherited from the IAM Role associated to the EC2 instance that the service is deployed to.
In production use this service will be hosted by the client themselves on their own AWS account.
When I deploy to my own test AWS account the process works just fine but when the client deploys to their own AWS account they are getting a 403 Forbidden response on the call to get the secret value. They have the secret and permissions policy set up like I do but still the 403 error.
AmazonSecretsManagerClient client = new AmazonSecretsManagerClient();
var secretRequest = new GetSecretValueRequest
{
SecretId = "MySecretName"
};
// FAILS HERE
GetSecretValueResponse secretResponse = await client.GetSecretValueAsync(secretRequest);
It is a HttpRequestException with a message of "Response status code does not indicate success: 403 (Forbidden)."
My question isn't really a coding issue since this does work on my test AWS account. This seems like it must be an environment issue with the client's AWS account.
My experience with AWS is very limited so I have no idea what would be causing this.
Is the customer trying to fetch the exact same secret you are using in your account? This would require using a custom CMK and adding a resource policy granting access as described in the AWS docs.
I have an Amazon SES connection setup which is currently in Sandbox mode.
I have my email address, I use my real one but for this post let's call it myemail#arealdomain.com. It's verified in SES, in the email tab it says "verified" right next to it.
I have a Node app which sends the mail via Nodemailer
this.transporter = nodemailer.createTransport({
SES: new aws.SES({ region: "us-east-1" })
});
this.defaultFromAddress = 'myemail#arealdomain.com';
and then I send it with this.transporter.sendMail, with ALL email addresses being the same myemail#arealdomain.com
When I try to send an email, (both TO and FROM the same address, which is Verified on SES)
On send I get the below error
Error: MessageRejected: Email address is not verified. The following identities failed the check in region US-EAST-1: myemail#arealdomain.com
Any ideas how to fix?
update
Per the conversation below I triple confirmed both my region and email address is correct across both my code and AWS. The to and from address are the same, and is listed in AWS as "verified". I'm still having this issue and totally unsure how to proceed
update2
Sending a "Test Email" from the SES dashboard works just fine, using the same email addresses...
update3
It gets weirder! So we got out of Sandbox mode yesterday and are a normal SES account now. Same exact errors no matter what combo of to/from addresses I'm using. I'm always using a "verified" address as the FROM, and no matter the TO (even if it's also a verified address) I get the exact same error that
Error: MessageRejected: Email address is not verified. The following
identities failed the check in region US-EAST-1:
myemail#arealdomain.com
Okay so it turns out while I was running locally it was using the incorrect AWS credentials (for an other project). Still unsure how to fix but that's the actual problem nothing wrong with SES
We had a similar problem today, and after checking all the credentials and the SES dashboard, the answer turned out to be a case-sensitivity issue in the left-hand side of the address. The verified email was:
noreply#company.com
but I was setting
NoReply#company.com
in the header, and that caused the verification to fail.
Faced the same issue today. Wasted couple of hours on this.
SESv2Client library for node.js uses the default aws-cli config when the credentials config is not passed propery.
const ses = new SESv2Client({
region: 'region-code',
credentials: {
accessKeyId: 'ABC',
secretAccessKey: 'xyz'
}
});
To use the SES within AWS to handle my site's subscriptions, I did the following:
Verified my email and domain that I want to send the email from. Also used IAM and gave the proper access to send a customized email
Using AWS Cli created a CustomVerificationEmailTemplate.
Created a configuration set and linked it to a SNS.
Used Java SDK, created a client of type AmazonSimpleEmailService and a sendCustomVerificationEmailRequest variable and used the sendCustomVerificationEmail method to send the invitation email.
However I do get the following exception:
[ProductionAccessNotGrantedException: null (Service: AmazonSimpleEmailService; Status Code: 400; Error Code: ProductionAccessNotGranted; Request ID: *****
Any idea why I do get this exception? Where should I get the production access?
SES service will be under sandbox status by default in all AWS accounts. In sandbox status, we can not do certain things like using CustomVerificationEmailTemplate.
We need to raise a service request to take it out of sandbox status. more documentation process on how to get it out sandbox status is here.
when going to the custom AWS Cognito UI Page:
https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>
am getting the following error:
An error was encountered with the requested page.
View error
invalid_request
O-Auth options need to be check as shown in the following picture
from https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/
You need the following in the App client Settings of your user pool:
Enable Cognito User Pool as "Identity Provider".
Allowed "OAuth Scopes" should have openid enabled.
In my case, it appears there was some issue with verifying the phone number. So switched back to email.
This document is good for checking everything.
https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/
Unless the SMS Sending setup is not complete, do not choose the Email or Phone option. Email or phone actually falls back to phone number only. Read the warning messages.
TLDR: If you use an AWS User Pool with Cognito App Client and have an Application Load Balancer that is exposed via a custom DNS entry (e.g. custom-domain.com, which has to be secured via SSL), use this custom domain for the Cognito App Client's callback URL (i.e. https://custom-domain.com/oauth2/idpresponse) instead if the random DNS name created by AWS.
I had the same error and this issue solved it for me. I used a User Pool with a Cognito App Client and as callback URL I first used the DNS name that AWS created for it (<load balancer name>-<random number>.<region>.elb.amazonaws.com, i.e. "callbackUrl": "https://<load balancer name>-<random number>.<region>.elb.amazonaws.com/oauth2/idpresponse). I also created a DNS record for a custom domain to expose the load balancer to the internet and secured it via SSL. As a result, the certificate was not valid for the URL created by AWS, but only my custom domain. The Cognito App Client was thus trying to access the URL with the invalid SSL certificate and returned the error.