cognito: The provider Google does not exist for User Pool eu-west_xxxx

[revmischa]

When I deploy a stack for the first time with a UserPoolIdentityProviderGoogle resource and a client with UserPoolClientIdentityProvider.GOOGLE as a supportedIdentityProvider, I get an error:

The provider Google does not exist for User Pool eu-west-1_D4Lw3qvRK.

If I remove GOOGLE from supportedIdentityProviders the first deployment and then uncomment it after the pool is deployed all works smoothly.

Reproduction Steps

 this.userPool = new UserPool(this, "Pool", {
      userPoolName: stackName,
 })

  const supportedIdentityProviders = [UserPoolClientIdentityProvider.COGNITO]

    if (googleClientId) {
      const googleClientSecret = secrets.getSecretValue("googleOAuth")
      new UserPoolIdentityProviderGoogle(this, "Google", {
        clientId: googleClientId,
        clientSecret: googleClientSecret,
        scopes: ["profile", "email", "openid"],
        attributeMapping: {
          profilePicture: ProviderAttribute.GOOGLE_PICTURE,
          email: ProviderAttribute.GOOGLE_EMAIL,
          fullname: ProviderAttribute.GOOGLE_NAME,
        },
        userPool: this.userPool,
      })
      supportedIdentityProviders.push(UserPoolClientIdentityProvider.GOOGLE) // <-- I have to comment this out on the first deployment
    }

    // create client ID for web app
    // we need valid redirect paths
    const signInPath = "/tmp"
    const signOutPath = "/tmp"
    const hosts = [
      "http://localhost:6010",
    ]
    const webClient = this.userPool.addClient("platform-web", {
      supportedIdentityProviders,
      oAuth: {
        callbackUrls: hosts.map((h) => h + signInPath),
        logoutUrls: hosts.map((h) => h + signOutPath),
      },
    })

What did you expect to happen?

Create the pool and client

What actually happened?

Pool created but client fails

Environment

• **CDK CLI Version :1.115.0
• Framework Version:
• Node.js Version: 14
• OS :
• **Language (Version):TS latest

Other

---

This is 🐛 Bug Report

[jumic]

Seems to be similar to issue #15692.

You have to add the dependency between the IdentityProvider and the WebClient manually.

const provider = new UserPoolIdentityProviderGoogle(this, "Google", {
// ...

Specify dependency:

webClient.node.addDependency(provider);

After this change, the IdentityProvider will be deployed first. Then, the WebClient will be created. The deployment will not fail anymore because it can find the referenced IdentityProvider (which is created before).

--> As already proposed in #15692, this solution should be added to the documentation.

[nija-at]

I've re-opened the original issue - #15692

Closing this as duplicate.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[nija-at]

I take my previous comment back. While they do look the same, it seems they're slightly different issues.

If both the user pool identity provider and client are associated with the same user pool, they will depend on each other.

@revmischa - can you provide the snippet of the CloudFormation template that gets synthesized, specifically the resources of type AWS::Cognito::UserPoolIdentityProvider?

[revmischa]

I think webClient.node.addDependency(provider) was what I needed, haven't had any issues since then. Thanks for the help!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.