aws-amplify
Analytics role not working
Before opening, please confirm:
- [X] I have searched for duplicate or closed issues and discussions.
- [X] I have read the guide for submitting bug reports.
- [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
JavaScript Framework
Angular
Amplify APIs
Authentication, Analytics, REST API, GraphQL API, DataStore, Storage
Amplify Categories
auth, analytics
Environment information
# Put output below this line
Describe the bug
Hi I just added the analytics category to my app and Im getting this error ERROR Error: Uncaught (in promise): User: arn:aws:sts::XXXXX:assumed-role/us-east-2_qVBo3N2qI-AdminGroupRole/CognitoIdentityCredentials is not authorized to perform: mobiletargeting:PutEvents on resource: arn:aws:mobiletargeting:us-east-1:XXXXXX:apps/4a167a45b9784eba813852e3f3c86205/events User: arn:aws:sts::704766592508:assumed-role/us-east-2_qVBo3N2qI-AdminGroupRole/CognitoIdentityCredentials is not authorized to perform: mobiletargeting:PutEvents on resource: arn:aws:mobiletargeting:us-east-1:704766592508:apps/4a167a45b9784eba813852e3f3c86205/events
also im getting this warning AWSPinpointProvider - Please ensure you have updated your Pinpoint IAM Policy with the Action: "mobiletargeting:PutEvents" in order to record events
Expected behavior
Events being recorded as expected
Reproduction steps
Add the analytics category Add the record event as shown in the docs
Code Snippet
// Put your code below this line.
Log output
// Put your logs below this line
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
Hi @sergiorodriguez82 👋 thanks for raising this issue. Can you provide the contents of your package.json and aws-exports files for your dev environment? And share any code snippets of how you might be configuring Amplify or Analytics? (ex. Amplify.configure, Analytics.configure)
Hi,
this is my aws-exports
/* eslint-disable */
// WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten.
const awsmobile = {
"aws_project_region": "us-east-2",
"aws_appsync_graphqlEndpoint": "https://d52oj4gayvdnbgqutnk6fpdaiq.appsync-api.us-east-2.amazonaws.com/graphql",
"aws_appsync_region": "us-east-2",
"aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS",
"aws_cloud_logic_custom": [
{
"name": "tp2IntegrationAPI",
"endpoint": "https://9ynw6cndr9.execute-api.us-east-2.amazonaws.com/develop",
"region": "us-east-2"
}
],
"aws_cognito_identity_pool_id": "us-east-2:f3cac181-7ddb-40c7-ae02-a6ae091a6cd5",
"aws_cognito_region": "us-east-2",
"aws_user_pools_id": "us-east-2_qVBo3N2qI",
"aws_user_pools_web_client_id": "3srk7fag6gjj4k454pqgvj40gn",
"oauth": {},
"aws_cognito_username_attributes": [],
"aws_cognito_social_providers": [],
"aws_cognito_signup_attributes": [
"PHONE_NUMBER"
],
"aws_cognito_mfa_configuration": "OPTIONAL",
"aws_cognito_mfa_types": [
"SMS"
],
"aws_cognito_password_protection_settings": {
"passwordPolicyMinLength": "6",
"passwordPolicyCharacters": []
},
"aws_cognito_verification_mechanisms": [
"EMAIL"
],
"aws_user_files_s3_bucket": "tp2storage215625-develop",
"aws_user_files_s3_bucket_region": "us-east-2",
"aws_mobile_analytics_app_id": "4a167a45b9784eba813852e3f3c86205",
"aws_mobile_analytics_app_region": "us-east-1"
};
export default awsmobile;
This is the snippet of how I register one event
loginUser(response: any): void {
...
Analytics.record({
name: 'User_loggedIn',
immediate: true,
attributes: {
user: this.authService.getUsername(),
source: 'tp2Site',
},
});
}
...
this is the package.json
{
"name": "trialpal2-web",
"version": "1.0.5",
"sasslintConfig": ".sasslintrc.json",
"scripts": {
"ng": "ng",
"start": "ng serve",
"build": "ng build",
"test": "ng test",
"lint": "ng lint",
"e2e": "ng e2e",
"build:prod": "ng build --configuration production",
"build:uat": "ng build --configuration uat",
"build:release": "ng build --configuration release",
"build:develop": "ng build --configuration develop",
"test:ci": "ng test --no-watch --no-progress --browsers ChromeHeadlessCI --code-coverage",
"e2e:ci": "ng e2e --protractor-config=e2e/protractor-ci.conf.js"
},
"private": true,
"dependencies": {
"@angular/animations": "~12.0.2",
"@angular/cdk": "^12.0.2",
"@angular/common": "~12.0.2",
"@angular/compiler": "~12.0.2",
"@angular/core": "~12.0.2",
"@angular/forms": "~12.0.2",
"@angular/platform-browser": "~12.0.2",
"@angular/platform-browser-dynamic": "~12.0.2",
"@angular/router": "~12.0.2",
"@ngx-translate/core": "^13.0.0",
"@ngx-translate/http-loader": "^6.0.0",
"@types/chart.js": "^2.9.35",
"apollo-cache-inmemory": "^1.6.6",
"apollo-client": "^2.6.10",
"apollo-link": "^1.2.14",
"apollo-link-http": "^1.5.17",
"aws-amplify": "^4.3.4",
"aws-appsync": "^4.0.3",
"aws-sdk": "^2.1034.0",
"bn-ng-idle": "^2.0.1",
"chart.js": "^3.7.0",
"crypto": "^1.0.1",
"es6-promise": "^4.2.8",
"esbuild": "^0.14.38",
"fs-extra": "^10.0.0",
"graphql-tag": "^2.12.4",
"isomorphic-fetch": "^3.0.0",
"moment": "^2.29.3",
"moment-timezone": "^0.5.34",
"ng2-charts": "^3.0.6",
"primeflex": "^2.0.0",
"primeicons": "^4.1.0",
"primeng": "^12.0.0-rc.1",
"pupeteer": "0.0.1",
"puppeteer": "^10.2.0",
"quill": "^1.3.7",
"rxjs": "~6.6.7",
"tslib": "^2.0.0",
"util": "^0.12.4",
"zone.js": "~0.11.4"
},
"devDependencies": {
"@angular-devkit/build-angular": "^12.2.17",
"@angular-eslint/builder": "^12.0.0",
"@angular-eslint/eslint-plugin": "^12.0.0",
"@angular-eslint/eslint-plugin-template": "^12.0.0",
"@angular-eslint/schematics": "12.0.0",
"@angular-eslint/template-parser": "^12.0.0",
"@angular/cli": "~12.0.2",
"@angular/compiler-cli": "~12.0.2",
"@babel/cli": "^7.14.5",
"@babel/core": "^7.14.3",
"@babel/preset-env": "^7.14.2",
"@babel/preset-typescript": "^7.14.5",
"@types/graphql": "^14.5.0",
"@types/jasmine": "^3.7.6",
"@types/node": "^15.6.1",
"@typescript-eslint/eslint-plugin": "^4.25.0",
"@typescript-eslint/parser": "^4.25.0",
"eslint": "^7.32.0",
"eslint-config-prettier": "^8.3.0",
"eslint-plugin-prettier": "^3.4.0",
"graphql": "^15.5.0",
"husky": "^6.0.0",
"jasmine-core": "^3.7.1",
"jasmine-spec-reporter": "^7.0.0",
"karma": "^6.3.17",
"karma-chrome-launcher": "^3.1.0",
"karma-coverage": "~2.0.3",
"karma-jasmine": "~4.0.0",
"karma-jasmine-html-reporter": "^1.6.0",
"ngx-translate-testing": "^5.1.0",
"prettier": "2.4.1",
"prettier-plugin-organize-imports": "^2.1.0",
"protractor": "~7.0.0",
"ts-node": "~8.3.0",
"typescript": "~4.2.4"
}
}
This is my main.ts
import { enableProdMode } from '@angular/core';
import { platformBrowserDynamic } from '@angular/platform-browser-dynamic';
import Amplify from 'aws-amplify';
import { AppModule } from './app/app.module';
import awsmobile from './aws-exports';
import { environment } from './environments/environment';
Amplify.configure(awsmobile);
if (environment.production) {
enableProdMode();
Amplify.Logger.LOG_LEVEL = 'ERROR';
} else {
Amplify.Logger.LOG_LEVEL = 'DEBUG';
}
platformBrowserDynamic()
.bootstrapModule(AppModule)
.catch((err) => console.error(err));
this is the pin point cloud template generated
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "{\"createdOn\":\"Mac\",\"createdBy\":\"Amplify\",\"createdWith\":\"8.4.0\",\"stackType\":\"analytics-Pinpoint\",\"metadata\":{}}",
"Parameters": {
"appName": {
"Type": "String"
},
"appId": {
"Type": "String",
"Default": "NONE"
},
"roleName": {
"Type": "String"
},
"cloudformationPolicyName": {
"Type": "String"
},
"cloudWatchPolicyName": {
"Type": "String"
},
"pinpointPolicyName": {
"Type": "String"
},
"authPolicyName": {
"Type": "String"
},
"unauthPolicyName": {
"Type": "String"
},
"authRoleName": {
"Type": "String"
},
"unauthRoleName": {
"Type": "String"
},
"authRoleArn": {
"Type": "String"
},
"env": {
"Type": "String"
}
},
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Creating pinpoint app"
},
"Parameters": [
"appName"
]
}
]
}
},
"Conditions": {
"ShouldCreatePinpointApp": {
"Fn::Equals": [
{
"Ref": "appId"
},
"NONE"
]
},
"ShouldNotCreateEnvResources": {
"Fn::Equals": [
{
"Ref": "env"
},
"NONE"
]
}
},
"Resources": {
"LambdaExecutionRole": {
"Condition": "ShouldCreatePinpointApp",
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
{
"Ref": "roleName"
},
{
"Fn::Join": [
"",
[
{
"Ref": "roleName"
},
"-",
{
"Ref": "env"
}
]
]
}
]
},
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyName": {
"Ref": "pinpointPolicyName"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:*",
"mobiletargeting:*"
],
"Resource": "*"
}
]
}
},
{
"PolicyName": {
"Ref": "cloudformationPolicyName"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*"
],
"Resource": "*"
}
]
}
}
]
}
},
"LambdaCloudWatchPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": {
"Ref": "cloudWatchPolicyName"
},
"Roles": [
{
"Ref": "LambdaExecutionRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": {
"Fn::Sub": [
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${lambdaName}:log-stream:*",
{
"lambdaName": {
"Ref": "PinpointFunction"
}
}
]
}
}
]
}
}
},
"PinpointFunction": {
"Type": "AWS::Lambda::Function",
"Condition": "ShouldCreatePinpointApp",
"Properties": {
"Code": {
"ZipFile": {
"Fn::Join": [
"\n",
[
"const response = require('cfn-response');",
"const aws = require('aws-sdk');",
"exports.handler = function(event, context) {",
" if (event.RequestType == 'Delete') {",
" const stackID = event.StackId;",
" const cloudFormationClient = new aws.CloudFormation({ apiVersion: '2016-12-01', region: event.ResourceProperties.region });",
" cloudFormationClient.describeStacks({ StackName: stackID }).promise()",
" .then(describeStacksOutput => {",
" let appId;",
" if (describeStacksOutput.Stacks && describeStacksOutput.Stacks.length > 0) {",
" const { Outputs } = describeStacksOutput.Stacks[0];",
" const appIdOutput = Outputs.find((output)=>{ return output.OutputKey === 'Id'});",
" appId = appIdOutput ? appIdOutput.OutputValue : undefined; ",
" }",
" return appId;",
" })",
" .then(appId => {",
" if (appId) {",
" const pinpointClient = new aws.Pinpoint({ apiVersion: '2016-12-01', region: event.ResourceProperties.pingPointRegion });",
" const params = {",
" ApplicationId: appId,",
" };",
" pinpointClient.deleteApp(params).promise();",
" }",
" })",
" .then(()=>{",
" response.send(event, context, response.SUCCESS, {'message': `Successfully deleted pinpoint project`});",
" })",
" .catch(e=>{",
" if (e.code !== 'ParameterNotFound') {",
" response.send(event, context, response.FAILED, {'message': `Failed to deleted Pinpoint project`, 'exception': e});",
" } else {",
" response.send(event, context, response.SUCCESS, {'message': `Successfully deleted pinpoint project`});",
" }",
" }); ",
" }",
" if (event.RequestType == 'Update') {",
" response.send(event, context, response.SUCCESS);",
" return;",
" }",
" if (event.RequestType == 'Create') {",
" const appName = event.ResourceProperties.appName;",
" let responseData = {};",
" const params = {",
" CreateApplicationRequest: {",
" Name: appName",
" }",
" };",
" const pinpoint = new aws.Pinpoint({ apiVersion: '2016-12-01', region: event.ResourceProperties.pingPointRegion });",
" pinpoint.createApp(params).promise()",
" .then((res) => {",
" responseData = res.ApplicationResponse;",
" response.send(event, context, response.SUCCESS, responseData);",
" }).catch((err) => {",
" console.log(err.stack);",
" responseData = {Error: err};",
" response.send(event, context, response.FAILED, responseData);",
" throw err;",
" });",
" }",
"};"
]
]
}
},
"Handler": "index.handler",
"Runtime": "nodejs14.x",
"Timeout": 300,
"Role": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
}
}
},
"PinpointFunctionOutputs": {
"Type": "Custom::LambdaCallout",
"Condition": "ShouldCreatePinpointApp",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"PinpointFunction",
"Arn"
]
},
"region": {
"Ref": "AWS::Region"
},
"pingPointRegion": {
"Fn::FindInMap": [
"RegionMapping",
{
"Ref": "AWS::Region"
},
"pinpointRegion"
]
},
"appName": {
"Fn::If": [
"ShouldNotCreateEnvResources",
{
"Ref": "appName"
},
{
"Fn::Join": [
"",
[
{
"Ref": "appName"
},
"-",
{
"Ref": "env"
}
]
]
}
]
}
},
"DependsOn": "PinpointFunction"
},
"CognitoUnauthPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "ShouldCreatePinpointApp",
"Properties": {
"PolicyName": {
"Ref": "unauthPolicyName"
},
"Roles": [
{
"Ref": "unauthRoleName"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:PutEvents",
"mobiletargeting:UpdateEndpoint"
],
"Resource": [
{
"Fn::If": [
"ShouldCreatePinpointApp",
{
"Fn::Join": [
"",
[
"arn:aws:mobiletargeting:*:",
{
"Fn::Select": [
"4",
{
"Fn::Split": [
":",
{
"Ref": "authRoleArn"
}
]
}
]
},
":apps/",
{
"Fn::GetAtt": [
"PinpointFunctionOutputs",
"Id"
]
},
"*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:mobiletargeting:*:",
{
"Fn::Select": [
"4",
{
"Fn::Split": [
":",
{
"Ref": "authRoleArn"
}
]
}
]
},
":apps/",
{
"Ref": "appId"
},
"*"
]
]
}
]
}
]
}
]
}
}
},
"CognitoAuthPolicy": {
"Type": "AWS::IAM::Policy",
"Condition": "ShouldCreatePinpointApp",
"Properties": {
"PolicyName": {
"Ref": "authPolicyName"
},
"Roles": [
{
"Ref": "authRoleName"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:PutEvents",
"mobiletargeting:UpdateEndpoint"
],
"Resource": [
{
"Fn::If": [
"ShouldCreatePinpointApp",
{
"Fn::Join": [
"",
[
"arn:aws:mobiletargeting:*:",
{
"Fn::Select": [
"4",
{
"Fn::Split": [
":",
{
"Ref": "authRoleArn"
}
]
}
]
},
":apps/",
{
"Fn::GetAtt": [
"PinpointFunctionOutputs",
"Id"
]
},
"*"
]
]
},
{
"Fn::Join": [
"",
[
"arn:aws:mobiletargeting:*:",
{
"Fn::Select": [
"4",
{
"Fn::Split": [
":",
{
"Ref": "authRoleArn"
}
]
}
]
},
":apps/",
{
"Ref": "appId"
},
"*"
]
]
}
]
}
]
}
]
}
}
}
},
"Outputs": {
"Region": {
"Value": {
"Fn::FindInMap": [
"RegionMapping",
{
"Ref": "AWS::Region"
},
"pinpointRegion"
]
}
},
"Id": {
"Value": {
"Fn::If": [
"ShouldCreatePinpointApp",
{
"Fn::GetAtt": [
"PinpointFunctionOutputs",
"Id"
]
},
{
"Ref": "appId"
}
]
}
},
"appName": {
"Value": {
"Fn::If": [
"ShouldCreatePinpointApp",
{
"Fn::GetAtt": [
"PinpointFunctionOutputs",
"Name"
]
},
{
"Ref": "appName"
}
]
}
}
},
"Mappings": {
"RegionMapping": {
"us-east-1": {
"pinpointRegion": "us-east-1"
},
"us-east-2": {
"pinpointRegion": "us-east-1"
},
"sa-east-1": {
"pinpointRegion": "us-east-1"
},
"ca-central-1": {
"pinpointRegion": "us-east-1"
},
"us-west-1": {
"pinpointRegion": "us-west-2"
},
"us-west-2": {
"pinpointRegion": "us-west-2"
},
"cn-north-1": {
"pinpointRegion": "us-west-2"
},
"cn-northwest-1": {
"pinpointRegion": "us-west-2"
},
"ap-south-1": {
"pinpointRegion": "us-west-2"
},
"ap-northeast-3": {
"pinpointRegion": "us-west-2"
},
"ap-northeast-2": {
"pinpointRegion": "us-west-2"
},
"ap-southeast-1": {
"pinpointRegion": "us-west-2"
},
"ap-southeast-2": {
"pinpointRegion": "us-west-2"
},
"ap-northeast-1": {
"pinpointRegion": "us-west-2"
},
"eu-central-1": {
"pinpointRegion": "eu-central-1"
},
"eu-north-1": {
"pinpointRegion": "eu-central-1"
},
"eu-west-1": {
"pinpointRegion": "eu-west-1"
},
"eu-west-2": {
"pinpointRegion": "eu-west-1"
},
"eu-west-3": {
"pinpointRegion": "eu-west-1"
},
"me-south-1": {
"pinpointRegion": "ap-south-1"
}
}
}
}
@sergiorodriguez82 - could you share the snippet where you are calling Analytics.configure? Thanks!
Hi, I didn't have any configure code in my app assuming is not necessary, docs doesn't refer to this configuration
I try adding this lines to the constructor of my app.component (also tried main.ts)
Analytics.configure({
// OPTIONAL - Allow recording session events. Default is true.
autoSessionRecord: true,
});
I think the error is not a configuration issue, the error in the console is clear
ERROR Error: Uncaught (in promise): User: arn:aws:sts::xxxx:assumed-role/us-east-2_qVBo3N2qI-AdminGroupRole/CognitoIdentityCredentials is not authorized to perform: mobiletargeting:PutEvents on resource: arn:aws:mobiletargeting:us-east-1:xxxx:apps/4a167a45b9784eba813852e3f3c86205/events
User: arn:aws:sts::xxxx:assumed-role/us-east-2_qVBo3N2qI-AdminGroupRole/CognitoIdentityCredentials is not authorized to perform: mobiletargeting:PutEvents on resource: arn:aws:mobiletargeting:us-east-1:xxxx:apps/4a167a45b9784eba813852e3f3c86205
Maybe it could be related the region im using? this project runs in the us-east-2 region, and the pinpont service runs in us-east-2
Thanks
I have added the permissions manually to the us-east-2_qVBo3N2qI-AdminGroupRole and the error is gone. This role only has the s3 permissions. Keep this issue open so maybe a fix is in place
Hi @sergiorodriguez82 , did you add your analytics resource via the CLI command "amplify add analytics"?
Or did it already exist and was manually imported?
Hi @sergiorodriguez82 , did you add your analytics resource via the CLI command "amplify add analytics"?
Or did it already exist and was manually imported?
I did it from the cli command
Running into the same problem as described here. Added Cognito auth and Analyics via CLI as described in the docs verbatim. Receiving the same error as @sergiorodriguez82 upon calling Analytics.record.
I resolved this. The root issue was that we are using Cognito groups as demonstrated in https://docs.amplify.aws/cli/auth/groups/#group-access-controls. When users are logged in - they assume an IAM role based on their Cognito group. The CLI and generated cloudformation doesn't update the policies for these roles when you add Pinpoint analytics. The solution was to add "customPolicies" to the auth/user-pool-group-precedence.json file.
To expand on the solution @ezeev presented, see the following snippet for an example auth/user-pool-group-precedence.json file.
[
{
"groupName": "SuperAdmins",
"precedence": 1,
"customPolicies": [
{
"PolicyName": "pinpoint-put",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:PutEvents"
],
"Resource": [
"arn:aws:mobiletargeting:*:YOU_ORG_ID:apps/YOUR_APP_ID*"
]
}
]
}
}
]
},
{
"groupName": "Admins",
"precedence": 2,
"customPolicies": [
{
"PolicyName": "pinpoint-put",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:PutEvents"
],
"Resource": [
"arn:aws:mobiletargeting:*:YOUR_ORG_ID:apps/YOUR_APP_ID*"
]
}
]
}
}
]
}
]
Hey @sergiorodriguez82 :wave: thanks for raising this and for providing those details, including the workaround! I've successfully reproduced this issue, and can confirm modifying the user-pool-group-precedence.json file with the additional policy works around the issue.
[
{
"groupName": "admins",
"precedence": 1,
"customPolicies": [
{
"PolicyName": "pinpoint-put",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobiletargeting:UpdateEndpoint",
"mobiletargeting:PutEvents"
],
"Resource": [
"arn:aws:mobiletargeting:*:*:apps/*"
]
}
]
}
}
]
},
{
"groupName": "users",
"precedence": 2
}
]
Marking as a bug 🙂
I thought the issue is the same as https://github.com/aws-amplify/amplify-cli/issues/4772 and was fixed in https://github.com/aws-amplify/amplify-cli/pull/10455, but it seems the bug still exists.
Agreed doesn't work still. Seems the group role isn't being used by the Analytics plugin
For us, the problem was that we added the "Pre token generation Lambda trigger" so taking that out made it work again.
Looking at it closer, we missed that the groupOverrideDetails needed to include the requests iam groups so we were clobbering them off. spreading the groupConfiguration over the overrideDetails and then including our updates fixed it up.
I am experiencing a similar auth issue when configuring Amplify Analytics for Kinesis.
With Pinpoint end of support, I am curious of the urgency the Amplify team is putting behind this package, and if alternatives are recommended instead?
Otherwise, consolidating effort here to the Kinesis plugin would be reasonable to propose. In this case, #11631 needs attention.
The solution was to add "customPolicies" to the
auth/user-pool-group-precedence.jsonfile.
This solved my problem.
Still curious on the status of the Analytics package in general... this issue is pretty old.