Amazon Cognito "A client attempted to write unauthorized attribute"

Javascript Amazon Web-Services Amazon Cognito

Javascript Problem Overview

I'm using the JavaScript SDK for AWS Cognito, and there are a couple of custom attributes that I just can't seem to save to and can't see why.

The problem attributes are mutable string fields as follows:

custom: role
custom: recruitingrole
custom: title

Other custom fields in the same request seem to update OK. Specifically, these ones seem to work:

custom:division
custom:linkedin
custom:location
custom:bio

When I submit via the SDK, this is returned:

{"__type":"NotAuthorizedException","message":"A client attempted to write unauthorized attribute"}

Here is the data that is sent, as show in the Chrome developer console network output:

{
	"AccessToken": "",
	"UserAttributes": [{
		"Name": "name",
		"Value": "Steve Austin"
	}, {
		"Name": "custom:company",
		"Value": "OSI"
	}, {
		"Name": "custom:division",
		"Value": "Bionics"
	}, {
		"Name": "custom:recruitingrole",
		"Value": "other"
	}, {
		"Name": "custom:linkedin",
		"Value": "http://www.linkedin.com"
	}, {
		"Name": "custom:location",
		"Value": "Mexico City, Mexico City, Mexico"
	}, {
		"Name": "custom:bio",
		"Value": "A man barely alive."
	}]
}

Can anyone suggest why I can't save to these attributes?

thanks

Javascript Solutions

Solution 1 - Javascript

Of course the answer became clear the moment I finished posting on StackOverflow.

The problem was that I had not set permissions for these attributes in the app associated with the user pool. The documentation should make this requirement clear where it discusses custom attributes.

Solution 2 - Javascript

Just highlighting the answer from @mvandillen:

General settings -> App clients -> Show details -> Set attribute read and write permissions link

Solution 3 - Javascript

For anyone that stumbles upon this question:

Like the others suggested, you should enable the writable attributes. But if that doesn't work, make sure you use the custom: prefix:

await Auth.signUp({
      username: email,
      password: password,
      attributes: {
        'custom:firstName': firstName,
        'custom:lastName': lastName,
        'custom:countryCode': countryCode
      }
    })

Solution 4 - Javascript

Using Amazon.Extensions.CognitoAuthentication in ASP.NET Core, you have to add:

var user = _pool.GetUser(model.Email)
user.Attributes.Add("name", model.Name);

Here name is the custom attribute

Solution 5 - Javascript

My case is a bit different. I am using Amplify angular component and I don't have any custom attributes (standard email login type).

It turns out that the key of the sign-up fields is case-sensitive. For the uppercase 'Email' key, I will see the error. Below is the sign-up configurations

emailSignUpConfig = {
        header: 'Sign up header',
        hideAllDefaults: true,
        defaultCountryCode: '1',
        signUpFields: [
            {
                label: 'Email',
                key: 'email', //the email should be in lower case
                required: true,
                displayOrder: 1,
                type: 'string',
            },
            {
                label: 'Password',
                key: 'password',
                required: true,
                displayOrder: 2,
                type: 'password',
            },
        ],
    };

Solution 6 - Javascript

After enabling writeable attributes, this is what works for me

    const user = {
     username:this.username,
     password:this.password,     
      attributes:{
      email:this.email,
      'custom:field1': this.field1,
      'custom:field2': this.field2,
      'custom:field3': this.field3
     }
   }


             OR



   const user = {
     username:this.username,
     password:this.password,
     email:this.email,
      attributes:{
      'custom:field1': this.field1,
      'custom:field2': this.field2,
      'custom:field3': this.field3
     }
   }

Solution 7 - Javascript

I would just like to add to the list regarding Android and Amplify's Auth lib. Along with enabling custom roles as specified above via AWS Console (General settings -> App clients -> Show details -> Set attribute read and write permissions link) you need to specify that the custom role under AuthUserAttributeKey.custom() has the string custom: prepended to your custom field. My assumption was that this would be excluded given the function call name. A little misleading but I hope this helps someone else out there.

TLDR;

Changed this:

AuthUserAttributeKey.custom("role");

to:

AuthUserAttributeKey.custom("custom:role");

Solution 8 - Javascript

In my case the issue was in accessing variable with incorrect name. To sum up my steps were following.

Add attribute: General settings -> Attributes -> Add custom attribute link
Ensure you set read/write permissions: General settings -> App clients -> Show details -> Set attributes permissions link
Do not forget to access you variable with correct name. For example if your variable named 'foo' you should get it as 'custom:foo' like below.

Content Type	Original Author	Original Content on Stackoverflow
Question	Duke Dougal	View Question on Stackoverflow
Solution 1 - Javascript	Duke Dougal	View Answer on Stackoverflow
Solution 2 - Javascript	Martin Rázus	View Answer on Stackoverflow
Solution 3 - Javascript	Christiaan Maks	View Answer on Stackoverflow
Solution 4 - Javascript	Adrita Sharma	View Answer on Stackoverflow
Solution 5 - Javascript	steamfood	View Answer on Stackoverflow
Solution 6 - Javascript	Jemil Oyebisi	View Answer on Stackoverflow
Solution 7 - Javascript	Trayson Keli'i	View Answer on Stackoverflow
Solution 8 - Javascript	Elmatsidis Paul	View Answer on Stackoverflow