How do I troubleshoot common errors with the import process in Amazon Cognito?

Last updated: 2022-12-23

I want to troubleshoot common errors with the import process in Amazon Cognito.

Short description

The following are common errors associated with the Amazon Cognito import process:

User migration AWS Lambda trigger import errors:

  • AccessDeniedException
  • UserCodeSyntaxError
  • ResourceNotFoundException
  • ImportModuleError

CSV file import errors:

  • Unexpected headers
  • Failed/skipped user
  • Import job expired
  • Invalid attribute value
  • CloudWatch Logs role missing permission

Resolution

When you use a CSV file or a Lambda trigger to import in Amazon Cognito, the errors are logged in Amazon CloudWatch Logs. See and search for these errors in your AWS account.

User migration Lambda trigger import errors

AccessDeniedException:

This error is logged when the Lambda role is missing an AWS Identity and Access Management (IAM) permission to perform an Amazon Cognito action. For example, AdminInitiateAuth. The AccessDeniedException error looks similar to the following:

An error occurred (AccessDeniedException) when calling the AdminInitiateAuth operation: User: arn:aws:sts::ACCOUNT_ID:assumed-role/TestingMigration-role/TestingMigration is not authorized to perform: cognito-idp:AdminInitiateAuth on resource: arn:aws:cognito-idp:eu-central-1:ACCOUNT_ID:userpool/eu-central-1_YYYYOOOO
    because no identity-based policy allows the cognito-idp:AdminInitiateAuth action

To resolve the AccessDeniedException error, do the following:

  1. Open the IAM console.
  2. In the navigation pane, choose Roles and find the Lambda execution role.
  3. Choose the Permissions tab for the IAM role.
  4. Expand the permissions policy to view the permissions associated with the user.
  5. Make sure that the policy includes the following parameters:
    cognito-idp:AdminInitiateAuth in the Actions list
    Allow for Effect.
  6. If the policy doesn't include the parameters, then update the policy to include them.
    -or-
    Create a new policy that follows the parameters, and attach the policy to the IAM role. For more information, see Editing customer managed policies (console).

UserCodeSyntaxError:

This error is logged when there's a code issue found in your Lambda code. For example, an indentation issue.

The UserCodeSyntaxError error looks similar to the following:

[ERROR] Runtime.UserCodeSyntaxError: Syntax error in module 'lambda_function': unexpected indent

To resolve this error, make sure to check for the correct syntax usage in your code.

ResourceNotFoundException:

This error is logged when a resource referenced in your Lambda code isn't found in your AWS account or AWS Region. For example, an Amazon Cognito app client.

The ResourceNotFoundException error looks similar to the following:

[ERROR] ResourceNotFoundException: An error occurred (ResourceNotFoundException) when calling the AdminInitiateAuth operation: User pool client 52rXXXXXXXXXXXXXXXXXXge does not exist.

To resolve this error, confirm that the resource in question exists in your AWS account and Region. Then, confirm that you've specified the ID, name, or Amazon Resource Name (ARN) in your Lambda code correctly.

ImportModuleError:

This error is logged when you try to import or reference a module that doesn't exist in your Lambda code.

The ImportModuleError error looks similar to the following:

[ERROR] Runtime.ImportModuleError: Unable to import module 'lambda_function': No module named lambda_function

To resolve this error, confirm that the module that you're trying to import in your code doesn't include any typos or non-existent module references.

CSV file import errors

Unexpected headers:

This error is logged when there's an issue with missing or wrongly formatted headers specified in your CSV file.

The Unexpected headers error looks similar to the following:

The header in the CSV file does not match the expected headers. Use the GetCSVHeader API to get the expected headers.

To resolve this error, do the following:

Get a list of the correct headers by running the following command, where USER_POOL_ID is the user pool into which you'll import users:

aws cognito-idp get-csv-header --user-pool-id "USER_POOL_ID"

You also can download the CSV file header using the Amazon Cognito console. For more information, see Downloading the CSV file header (console).

Failed or skipped user:

This error is logged when there's an issue with duplicate user references, or when required fields are missing in your CSV file. For example, email_verified or cognito:mfa_enabled.

The Failed or skipped user error looks similar to the following:

Too many users have failed or been skipped during the import.

To resolve this error, make sure to remove duplicate users from the CSV file, and make sure that required attributes are specified. For more information, see Creating the user import CSV file.

Import job expired:

This error is logged when you create a job, but don't start the job within 24–48 hours.

The Import job expired error looks similar to the following:

The user import job has expired.

To resolve this issue, start a user import job with the following command:

aws cognito-idp start-user-import-job --user-pool-id "USER_POOL_ID" --job-id "JOB_ID"

You also can start the job using the Amazon Cognito console. For more information, see Importing users from a CSV file (console).

Note: Only one import job can be active at a time for each account.

Invalid attribute value:

This error indicates that an invalid value has been specified for an attribute in your CSV file.

The Invalid Attribute value error looks similar to the following:

The User Record contains an invalid value for [attribute].

To resolve this issue, check the values specified for the attribute. For more information about attribute values, such as the proper format for phone numbers, see User pool attributes.

CloudWatch Logs role missing permission:

This error indicates that the CloudWatch Logs role specified for the CSV import process has one of the following issues:

  • Missing permissions, such as create log group or streams.
  • Trust relationship policy with a principal that's not valid.

The CloudWatch Logs role missing permission error looks similar to the following:

The configured CloudWatch Logs role is missing permissions or has an invalid trust policy.

To resolve this issue, make sure you have identity permissions allowed for CloudWatch actions. Also, make sure that cognito-idp.amazonaws.com is allowed as the service principal in the trust relationship policy. For more information, see Creating the CloudWatch Logs IAM role.


Did this article help?


Do you need billing or technical support?