Resource handler returned message: "A condition block must be present for the Cognito provider

[meteordefect]

How did you install the Amplify CLI?

npm install -g @aws-amplify/cli

If applicable, what version of Node.js are you using?

v16.20.2

Amplify CLI Version

12.10.1

What operating system are you using?

Mac/Linux

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

Newly created env, from an existing working env code.

Describe the bug

We have a working environment and are trying to create a new duplicate. When I use the existing code and do an amplify push I get this error. It seems to generate many of the lambdas then get stuck on these ones, possibly related to cognito. The only change I made to our existing code is to upgrade the lambdsa from node v14 to v16. We encountered this error on mac and linux. The error:

🛑 The following resources failed to deploy:
Resource Name: LambdaExecutionRole (AWS::IAM::Role)
Event Type: create
Reason: Resource handler returned message: "A condition block must be present for the Cognito provider (Service: Iam, Status Code: 400, Request ID: a7c1f84f-53f9-450b-ab6b-61c20a0b590a)" (RequestToken: 91410630-55e8-cdb6-fa49-00c9bc9ede63, HandlerErrorCode: InvalidRequest)

🛑 Resource is not in the state stackUpdateComplete
Name: LambdaExecutionRole (AWS::IAM::Role), Event Type: create, Reason: Resource handler returned message: "A condition block must be present for the Cognito provider (Service: Iam, Status Code: 400, Request ID: a7c1f84f-53f9-450b-ab6b-61c20a0b590a)" (RequestToken: 91410630-55e8-cdb6-fa49-00c9bc9ede63, HandlerErrorCode: InvalidRequest), IsCustomResource: false

Learn more at: https://docs.amplify.aws/cli/project/troubleshooting/

Session Identifier: 4a4f0ab6-d997-4acc-ba3e-e33b9162fe44

Expected behavior

Amplify will build successfully or hit the 2500 operations in a root stack error.

Reproduction steps

• Pull code from gitlab
• Amplify env add
• Push, get error about node version 14
• Upgrade all node versions from 14 to 16
• Push

Project Identifier

/var/folders/5_/hxtfpdyx21s0b8sg7x9lqkrc0000gn/T/assessorbackend/report-1712101812929.zip

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

Hey @meteordefect, thank you fro reaching out. From the error message it appears this is occurring on a Lambda function that depends on a Auth resource.
Could you run amplify diagnose --send-report and provide is the Project identifier output from the terminal?

[meteordefect]

We received a solution from AWS which was to add the below policy block in the generated cloudformation stack for the lambda function. But it seems to not work on some occasions.

"Condition": {
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
},

[ykethan]

@meteordefect glad to hear you were able to find a solution. Could you provide us some additional information on when the policy does not work?

[ykethan]

Closing the issue due to inactivity. Do reach out to us if you require any assistance.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.