Cognito User Pool cannot update with CloudFormation due to schema attribute conflict

I have a user pool that I created with CF about 4 years ago. After I deployed it I didn't change it. The CF also included a pre-signup function that was using nodejs12.x, a version that's now not available or supported.

I need to update the version of this lambda to 18.x, which I thought would be as simple as changing it in the template and running the update. When I try to update the stack, it fails saying:

Resource handler returned message: "Invalid request provided: Existing schema attributes cannot be modified or deleted."

As I mentioned, I haven't changed the template in any way since last time it was synced, but that was a long time ago. I have checked to make sure the parameters listed exactly match those in the deployed stack. I also tried reverse engineering the stack into a fresh template using Former2, and when I try to do an update with that it says the same thing. It seems like something has changed in user pools that is not backwards compatible, and there's no way to modernise the stack. Seeking any suggestions.

To make matters slightly more annoying, when the update fails it doesn't roll back successfully because it refuses to roll back to nodejs12.x. I know I can rollback excluding that function, it's just annoying.

Topics

Serverless Compute Management & Governance Security, Identity, & Compliance

Tags

AWS Lambda AWS CloudFormation Amazon Cognito

Language

English

Miles

asked 2 months ago318 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello.

Just to be sure, use the AWS CLI command below to check "SchemaAttributes" and make sure it matches the contents of the CloudFormation template.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/describe-user-pool.html

aws cognito-idp describe-user-pool --user-pool-id us-west-2_aaaaaaaaa

AWS CLI can be executed from CloudShell.
https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html

Also, try deploying only the Cognito user pool using CloudFormation in a different AWS account, etc., and check whether the settings are the same as the existing user pool.
If all of these match, it may be an issue on AWS side, so I recommend that you open a case with AWS Support under "Account and billing".
Inquiries under "Account and billing" can be made free of charge.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html

EXPERT

Riku_Kobayashi

answered 2 months ago

Miles
2 months ago
Thanks for the suggestion. I actually triedgetting the attributes via describe-user-pool already and they are the same, plus it lists all the default attributes, even ones that are not enabled in the pool. I noticed this strange behaviour so deployed a new user pool with only email as a default attribute, and no custom attributes, and it still lists everything. I think I will follow your advice and just file a support request via accounts and billing. Thanks

Relevant content

IAM policy with custom attributes from Cognito User Pool
Davide Gariselli
asked a year ago
How many Cognito user pools should I have in an APP?
Accepted Answer
cao95
asked 8 months ago
Unable to create Cognito User Pool
kevireilly
asked 5 years ago
Cognito User Pool not creating user in new pool after Migration Trigger runs succesfully
rePost-User-6603535
asked 2 years ago
How do I integrate Amazon SES with an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
How do I integrate a multi-Region and multi-account Amazon Cognito user pool with an Amazon Cognito identity pool?
AWS OFFICIALUpdated a year ago
How do I change the attributes of an Amazon Cognito user pool after creation?
AWS OFFICIALUpdated 3 months ago
How do I set up OneLogin as a SAML identity provider with an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
Announcing Amazon WorkSpaces Pools, a new feature of Amazon WorkSpaces
EXPERT
Aqsa Mughees
published 23 days ago
How to setup cross-account Cognito User Pool migration with the Migrate User Lambda Trigger
EXPERT
Mitchell Tennison
published 2 months ago