amplify-backend icon indicating copy to clipboard operation
amplify-backend copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Circular dependency issue when trying to integrate Microsoft Entra ID with AWS Amplify Gen 2 using a preTokenGeneration Lambda function

Open aratil65 opened this issue 5 months ago • 1 comments

Environment information

AWS Amplify Gen 2
Region - us-west-2
Branch name - dev
Cognito user pool

Integrate Microsoft Entra ID with AWS Amplify Gen 2 using a preTokenGeneration Lambda function

Describe the bug

Experiencing a circular dependency issue when trying to integrate Microsoft Entra ID with AWS Amplify Gen 2 using a preTokenGeneration Lambda function. This function is necessary to map Entra ID groups to Cognito user groups, but the circular dependency prevents successful deployment.

** Reasons for circular dependency - The circular dependency occurs because:

  • The Cognito User Pool needs to reference the Lambda function (to set it as a trigger)
  • The Lambda function needs permissions to be invoked by Cognito
  • In some cases, the Lambda also needs to access the Cognito User Pool
  • This creates a "chicken and egg" problem that CloudFormation (the underlying deployment technology used by Amplify) cannot resolve, resulting in deployment failures.

** Build Log error: [31m❌ [1mamplify-dn____59-dev-branch-de____df[22m failed: ValidationError: Circular dependency between resources: [auth17____D7, data75____31, function13____8B][39m

** Current State: We are not automatically mapping Entra Groups to Cognito Groups. Instead have implemented manual processes to assign the appropriate Cognito Group after the users first login.

Queries -

  1. Is there any timeline to implement a preTokenGeneration Lambda function using definedbackend without getting a circular dependancy error from cloudformation?

Reproduction steps

Amplify Gen 2 allow to import existing Cognito resource: https://docs.amplify.aws/react/build-a-backend/auth/use-existing-cognito-resources/

  1. Associate Entra ID to Cognito through Cognito console
    • Entra ID as OIDC IdP to Cognito: https://www.youtube.com/watch?v=3ImxqC60SWw
    • Entra ID as SMAL IdP to Cognito: https://www.youtube.com/watch?v=VjZLU2s3Q48
  2. Configure a preTokenGeneration on Cognito: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#user-pool-lambda-pre-token-generation-accesstoken
  3. Test the authentication and preTokenGeneration without Amplify
  4. If the integration works, import the existing Cognito resource into Amplify
    • If the customer has already got a Cognito user pool in Amplify, they may need to remove the user pool first
    • If the existing user pool is a PROD user pool, they may need to backup the user

[+]. Microsoft Entra ID (SAML) - AWS Amplify Gen 2 Documentation

aratil65 avatar Jun 10 '25 09:06 aratil65