Amplify auth - Issue moving from sandbox to production

[vrajasekhar1]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

Amplify CLI

Environment information

# Put output below this line

  System:
    OS: macOS 14.3.1
    CPU: (8) arm64 Apple M2
    Memory: 62.11 MB / 8.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.17.0 - /usr/local/bin/node
    npm: 10.2.5 - ~/Downloads/SWDev/GitHub/MyPulse/MyPulseWeb/node_modules/.bin/npm
  Browsers:
    Chrome: 127.0.6533.88
    Safari: 17.3.1
  npmPackages:
    @ai-sdk/openai: ^0.0.9 => 0.0.9 
    @ampproject/toolbox-optimizer:  undefined ()
    @aws-amplify/datastore: ^4.7.6 => 4.7.6 
    @aws-amplify/ui-react: ^5.3.2 => 5.3.2 (4.6.4)
    @aws-amplify/ui-react-internal:  undefined ()
    @aws-amplify/ui-react-storage: ^1.2.4 => 1.2.4 
    @babel/core:  undefined ()
    @babel/runtime:  7.22.5 
    @date-io/date-fns: ^2.17.0 => 2.17.0 
    @edge-runtime/cookies:  4.1.0 
    @edge-runtime/ponyfill:  2.4.2 
    @edge-runtime/primitives:  4.1.0 
    @emotion/react: ^11.11.1 => 11.11.4 
    @emotion/styled: ^11.11.0 => 11.11.0 
    @fullcalendar/core: ^6.1.11 => 6.1.11 
    @fullcalendar/daygrid: ^6.1.9 => 6.1.9 
    @fullcalendar/interaction: ^6.1.9 => 6.1.9 
    @fullcalendar/react: ^6.1.9 => 6.1.9 
    @fullcalendar/timegrid: ^6.1.9 => 6.1.9 
    @hapi/accept:  undefined ()
    @iconify/react: ^4.1.1 => 4.1.1 
    @iconify/react/offline:  undefined ()
    @microsoft/signalr: ^8.0.0 => 8.0.0 
    @mswjs/interceptors:  undefined ()
    @mui/icons-material: ^5.14.16 => 5.14.16 
    @mui/lab: ^5.0.0-alpha.152 => 5.0.0-alpha.152 
    @mui/material: ^5.14.20 => 5.15.15 
    @mui/x-data-grid: ^6.18.1 => 6.18.1 
    @mui/x-data-grid-generator: ^6.18.1 => 6.18.1 
    @mui/x-date-pickers: ^6.18.3 => 6.18.3 
    @napi-rs/triples:  undefined ()
    @next/font:  undefined ()
    @next/react-dev-overlay:  undefined ()
    @opentelemetry/api:  undefined ()
    @react-google-maps/api: ^2.19.2 => 2.19.2 
    @reduxjs/toolkit: ^1.9.7 => 1.9.7 
    @reduxjs/toolkit-query:  1.0.0 
    @reduxjs/toolkit-query-react:  1.0.0 
    @swc/cli: ^0.1.63 => 0.1.63 
    @swc/core: ^1.3.101 => 1.3.103 
    @vercel/analytics: ^1.1.2 => 1.1.2 
    @vercel/nft:  undefined ()
    @vercel/og:  0.6.2 
    @vercel/speed-insights: ^1.0.8 => 1.0.8 
    acorn:  undefined ()
    agora-extension-ai-denoiser: ^1.1.0 => 1.1.0 
    agora-rtc-react: ^2.1.0 => 2.1.0 
    agora-rtc-sdk-ng: ^4.20.0 => 4.20.0 
    ai: ^3.1.1 => 3.1.1 
    amphtml-validator:  undefined ()
    anser:  undefined ()
    arg:  undefined ()
    assert:  undefined ()
    async-retry:  undefined ()
    async-sema:  undefined ()
    aws-amplify: ^5.3.12 => 5.3.12 
    aws-sdk: ^2.1644.0 => 2.1540.0 
    axios: ^1.6.2 => 1.6.2 (0.27.2, 1.6.0)
    babel-packages:  undefined ()
    browserify-zlib:  undefined ()
    browserslist:  undefined ()
    buffer:  undefined ()
    bytes:  undefined ()
    chart.js: ^4.4.1 => 4.4.1 
    chart.js-auto:  undefined ()
    chart.js-helpers:  undefined ()
    chartjs-adapter-moment: ^1.0.1 => 1.0.1 
    ci-info:  undefined ()
    cli-select:  undefined ()
    client-only:  0.0.1 
    comment-json:  undefined ()
    compression:  undefined ()
    conf:  undefined ()
    constants-browserify:  undefined ()
    content-disposition:  undefined ()
    content-type:  undefined ()
    cookie:  undefined ()
    cross-spawn:  undefined ()
    crypto-browserify:  undefined ()
    css.escape:  undefined ()
    d3: ^7.8.5 => 7.8.5 
    data-uri-to-buffer:  undefined ()
    date-fns: ^2.30.0 => 2.30.0 (1.30.1)
    date-fns-timezone: ^0.1.4 => 0.1.4 
    date-fns-tz: ^2.0.0 => 2.0.0 
    debug:  undefined ()
    devalue:  undefined ()
    domain-browser:  undefined ()
    edge-runtime:  undefined ()
    events:  undefined ()
    express: ^4.18.3 => 4.18.3 
    find-cache-dir:  undefined ()
    find-up:  undefined ()
    fresh:  undefined ()
    get-orientation:  undefined ()
    glob:  undefined ()
    globby: ^14.0.0 => 14.0.0 
    gzip-size:  undefined ()
    http-proxy:  undefined ()
    http-proxy-agent:  undefined ()
    https-browserify:  undefined ()
    https-proxy-agent:  undefined ()
    icss-utils:  undefined ()
    ignore-loader:  undefined ()
    image-size:  undefined ()
    install: ^0.13.0 => 0.13.0 
    is-animated:  undefined ()
    is-docker:  undefined ()
    is-wsl:  undefined ()
    jest-worker:  undefined ()
    json5:  undefined ()
    jsonwebtoken:  undefined ()
    loader-runner:  undefined ()
    loader-utils:  undefined ()
    lodash.curry:  undefined ()
    lru-cache:  undefined ()
    micromatch:  undefined ()
    mini-css-extract-plugin:  undefined ()
    moment-timezone: ^0.5.43 => 0.5.44 
    mui-one-time-password-input: ^2.0.2 => 2.0.2 
    nanoid:  undefined ()
    native-url:  undefined ()
    neo-async:  undefined ()
    next: ^14.1.3 => 14.1.3 
    node-fetch:  undefined ()
    node-html-parser:  undefined ()
    npm: ^10.2.5 => 10.2.5 
    numeral: ^2.0.6 => 2.0.6 
    ora:  undefined ()
    os-browserify:  undefined ()
    p-limit:  undefined ()
    parallax-js: ^3.1.0 => 3.1.0 
    path-browserify:  undefined ()
    platform:  undefined ()
    postcss-flexbugs-fixes:  undefined ()
    postcss-modules-extract-imports:  undefined ()
    postcss-modules-local-by-default:  undefined ()
    postcss-modules-scope:  undefined ()
    postcss-modules-values:  undefined ()
    postcss-preset-env:  undefined ()
    postcss-safe-parser:  undefined ()
    postcss-scss:  undefined ()
    postcss-value-parser:  undefined ()
    process:  undefined ()
    punycode:  undefined ()
    querystring-es3:  undefined ()
    raw-body:  undefined ()
    react: ^18 => 18.2.0 
    react-builtin:  undefined ()
    react-chartjs-2: ^5.2.0 => 5.2.0 
    react-dom: ^18 => 18.2.0 
    react-dom-builtin:  undefined ()
    react-dom-experimental-builtin:  undefined ()
    react-experimental-builtin:  undefined ()
    react-hook-form: ^7.48.2 => 7.48.2 
    react-is:  18.2.0 
    react-phone-number-input: ^3.3.7 => 3.3.7 
    react-phone-number-input/commonjs:  undefined ()
    react-phone-number-input/core:  undefined ()
    react-phone-number-input/flags:  undefined ()
    react-phone-number-input/input-core:  undefined ()
    react-phone-number-input/input-max:  undefined ()
    react-phone-number-input/input-min:  undefined ()
    react-phone-number-input/input-mobile:  undefined ()
    react-phone-number-input/max:  undefined ()
    react-phone-number-input/min:  undefined ()
    react-phone-number-input/mobile:  undefined ()
    react-phone-number-input/react-hook-form:  undefined ()
    react-phone-number-input/react-hook-form-core:  undefined ()
    react-phone-number-input/react-hook-form-input:  undefined ()
    react-phone-number-input/react-hook-form-input-core:  undefined ()
    react-phone-number-input/react-native-input:  undefined ()
    react-phone-number-input/react-styleguidist:  undefined ()
    react-redux: ^8.1.3 => 8.1.3 
    react-refresh:  0.12.0 
    react-responsive-carousel: ^3.2.23 => 3.2.23 
    react-server-dom-turbopack-builtin:  undefined ()
    react-server-dom-turbopack-experimental-builtin:  undefined ()
    react-server-dom-webpack-builtin:  undefined ()
    react-server-dom-webpack-experimental-builtin:  undefined ()
    react-slick: ^0.29.0 => 0.29.0 
    react-spring: ^9.7.3 => 9.7.3 
    reactflow: ^11.10.4 => 11.10.4 
    regenerator-runtime:  0.13.4 
    sass-loader:  undefined ()
    scheduler-builtin:  undefined ()
    scheduler-experimental-builtin:  undefined ()
    schema-utils:  undefined ()
    semver:  undefined ()
    send:  undefined ()
    server-only:  0.0.1 
    setimmediate:  undefined ()
    sharp: ^0.33.2 => 0.33.2 
    shell-quote:  undefined ()
    simplebar-react: ^3.2.4 => 3.2.4 
    socket.io: ^4.7.5 => 4.7.5 
    socket.io-client: ^4.7.2 => 4.7.2 (4.4.0)
    source-map:  undefined ()
    speed-measure-webpack-plugin: ^1.5.0 => 1.5.0 
    stacktrace-parser:  undefined ()
    stream-browserify:  undefined ()
    stream-http:  undefined ()
    string-hash:  undefined ()
    string_decoder:  undefined ()
    strip-ansi:  undefined ()
    superstruct:  undefined ()
    swiper: ^11.0.5 => 11.0.5 
    tar:  undefined ()
    terser:  undefined ()
    text-table:  undefined ()
    timers-browserify:  undefined ()
    tty-browserify:  undefined ()
    ua-parser-js:  undefined ()
    unistore:  undefined ()
    util:  undefined ()
    vm-browserify:  undefined ()
    watchpack:  undefined ()
    web-vitals:  undefined ()
    webpack:  undefined ()
    webpack-sources:  undefined ()
    ws: ^8.16.0 => 8.16.0 (7.5.9, 8.11.0, , 6.2.2)
    xlsx: ^0.18.5 => 0.18.5 
    zod:  undefined ()
  npmGlobalPackages:
    @aws-amplify/cli: 12.11.1
    corepack: 0.18.0
    eas-cli: 10.2.1
    npm: 10.2.4

Describe the bug

We are building a solution with Amplify as backend, where users signup using their mobile number.

await Auth.signUp({
            username: username,
            password: formState.password,
            attributes: attributes
          });

Upon signup, Cognito sends a verification code to user’s mobile number and we confirm the signup upon submitting the verification code.

await Auth.confirmSignUp(username, verificationCode);

We have setup Amplify backend for this and we are able to send SMS to verified mobile numbers(with SNS mode as Sandbox). Now we wanted to move to production, so that we can send SMS to any phone number.

We created a support case to exit from SMS Sandbox and move to production. Support case has been approved and SNS console shows our account has production access now. However, Amplify Auth still shows SNS mode as Sandbox and we are unable to send SMS to unverified phone numbers.

Please note, we have registered with DLT in India and have valid Entity ID, Sender ID and Template ID. SNS Console clearly shows our account has production access and we are able to successfully send SMS from SNS console to any unverified phone numbers using our Sender ID, but with Amplify we are unable to send SMS.

While publishing SMS using SMS Console, we specify our Entity ID, Sender ID, Template ID and SMS is delivered successfully.
With Amplify, where do we specify these values to send SMS and how Cognito would map these values? Programatically all we do is, Auth.signUp(). Cognito User Pool have message Templates and Pinpoint captured Sender IDs, but no idea how/where these Message Templates are mapped to our Entity ID, Sender ID, Template ID. Without this mapping SMS won’t be sent obviously.

It would be good if there is a clear documentation from Amplify how to configure everything(Cognito/SNS/Pinpoint) to make this work. We are literally blocked moving to production on this, though functionality works fine in dev environment and all external aspects with DLT are taken care.

Expected behavior

SNS console clearly shows our account moved to production, but Amplify shows SNS mode as sandbox.
Expected behaviour: Amplify should SNS mode as production.

Amplify/Cognito fails to deliver SMS verification code when user signup with mobile number.
Expected behaviour: Should deliver SMS using our Entity ID, Sender ID and Template ID.

Amplify documentation is not clear where we need to capture Entity ID, Sender ID, Template ID and how they are mapped/used to send SMS.
Expection: Clear documentation from Amplify helps.

Reproduction steps

Create Amplify backend and add auth
Auth to have phone number based authentication
Users signup and Amplify/Cognito sends SMS verification code
Upon submitting the verification code, user account gets confirmed
(All of this works in dev env / sandbox mode)
Create a support case to exit from Sandbox
SNS console shows our account has production access now
In SNS console, use Publish SMS to send SMS using our Entity ID, Sender ID and Template ID
SMS gets delivered with our Sender ID
Now try User signup using Amplify and SMS won’t get delivered

Code Snippet

// Put your code below this line.

// Code is not that complicated. All we do is Auth.signup()
// More over it works fine in sandbox mode. The issue is with moving to production
await Auth.signUp({
            username: username,
            password: formState.password,
            attributes: attributes
   });

Log output

// Put your logs below this line

// No errors detected. Except that SMS is not delivered.

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hello, @vrajasekhar1 👋 and thanks for creating this issue after stopping by our Discord Office Hours. Want to confirm a few things to better understand how the app has been set up so we can get to the root cause of the issue here. Is your support case still ongoing and can you provide the case id # (just in case there's relevant information I can look into)? Also, can you check in the Cognito console to see if you have only 1 App Client ID under Cognito Console > User Pools > Your App's User Pool > App Integration Tab > Scroll to bottom to see the "App Client List"?

[vrajasekhar1]

Hi Chris,
There are two app client IDs in my list. One for app_client and other one for app_clientWeb.
The support case that I have created is resolved. The case ID is 172025859400801.

Thanks.

[vrajasekhar1]

Hi Chris, any further update on this please? This issue is blocking us moving to production. Please let me know if any further info required from my side. Thank you so much for taking care of this issue.

[cwomack]

@vrajasekhar1, I haven't been able to reproduce this on my own apps that I've moved from dev to prod. Can you check to see if within your user pool in the Cognito console to see if the SNS phone number is registered with an associated ARN? And on the SNS side of things, is the phone number still showing that it's in "sandbox mode"? Or has the phone number been fully "verified" at this point? Here's a couple of links that could help determine this:

• Verify phone numbers for Amazon Cognito in Amazon SNS
• Moving out of the SMS sandbox

[vrajasekhar1]

Hi Chris,
Thanks for the update.

Moving out of the SMS sandbox
This is taken care. Our SNS console says “This account has production access in the Asia Pacific (Mumbai)”

Verify phone numbers for Amazon Cognito in Amazon SNS
We did this when we were in SNS sandbox mode and we were able to send messages to verified phone numbers successfully. Since we moved to production, verifying a phone numbers is not required now.

Can you check to see if within your user pool in the Cognito console to see if the SNS phone number is registered with an associated ARN?
I do not find an option where SNS phone number is registered with Cognito user pool ARN. Where can I find this option and what SMS phone number we need to provide? In India, we send SMS using a registered Sender ID.

And on the SNS side of things, is the phone number still showing that it's in "sandbox mode"? Or has the phone number been fully "verified" at this point?
We verified few phone numbers while in sandbox mode and we were able to send SMS to verified phone numbers.

Following is more detail about what we have in different consoles.

Cognito User pool console:
I have set the SNS region correctly
I have updated Message Templates as per our approved Templates in DLT

SNS Console:
Status says: This account has production access in the Asia Pacific (Mumbai). You can deliver SMS messages to any phone number.
Using publish SMS option here, we are able to send SMS message to unverified phone numbers using our registered Entity ID, Sender ID and registered message Template.

AWS End User Messaging Console:
Showing list of our registered Sender IDs.

Now my questions / confusions are

1. Amplify Auth/Cognito are failing to recognise though we moved to production? What needs to be done for Cognito to recognise that we moved to production?
2. Cognito user pool console has message templates and End User Messaging Console has list of registered Sender IDs. Where exactly are we mapping message templates to Sender IDs? Without this mapping, how Cognito will know which Sender ID to use while sending message?
3. Without giving Entity ID, we can not send SMS, but I do not find an option to specify Entity ID anywhere. Where exactly Entity ID is maintained? And How Amplify Auth/Cognito uses this info?

Everything seems unclear and there is no proper documentation how Cognito works when we move SNS to production.
We have everything handy to send SMS(Registered Entity ID, Sender IDs and Templates) and we are able to send SMS manually using SNS console, but can not send SMS using Amplify Auth/Cognito. Amplify still shows SNS in sandbox mode.

We can show our env in a remote session incase that helps. Please let me know.

Thanks,
Rajasekhar.

[josefaidt]

Hey @vrajasekhar1 👋 can you share how you have your backend auth resource configured?

[vrajasekhar1]

Hi @josefaidt,
Attached cli-inputs.json from amplify/backend/auth folder, which shows how we configured our Amplify auth backend. cli-inputs.json. Please let me know if any other details required. Thanks.

[josefaidt]

Hey @vrajasekhar1 thanks for posting that! do you have an override applied to configure Cognito with the SNS resource?
https://docs.amplify.aws/gen1/react/build-a-backend/auth/override-cognito/

The override would allow you to conditionally apply the SNS config depending on the env you are deploying to, and exposes the CloudFormation resource being generated by auth. On the user pool resource you can set the SmsConfiguration property https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-smsconfiguration

[vrajasekhar1]

Hi @josefaidt
We have not applied any override for SNS resources. It's just the default configuration that comes with Amplify.

Just couple of changes we have done in Cognito user pool console are:

1. We have Changed the SNS region associated with our user pool. By default it was set to Asia Pacific (Singapore) and we changed that to Asia Pacific (Mumbai) as our account has production access in Asia Pacific (Mumbai) region.
2. We have changed the format of the verification message to match our message template registered with DLT.

Thanks,
Rajasekhar.

[vrajasekhar1]

@josefaidt Are you saying we will have to override SNS resources to make this work? Does this not work with default configuration provided by Amplify? Can we do a quick remote session so that you can take a look at our env and suggest what steps we can take? Thanks.

[josefaidt]

Hey @vrajasekhar1 thanks for clarifying! Changes made in the console may be removed on the next push of your resource. This is typically dependent on the type of change and whether the CloudFormation template generated by Amplify that describes the resource configuration has a default value set for this property. To maintain the reference to your SNS resource across subsequent deployments and/or other environments you can override the auth configuration generated by Amplify. By default the SmsConfiguration is not populated, but can be authored to reference your existing SNS resource using CDK

[vrajasekhar1]

Hi @josefaidt We have applied override with SmsConfiguration and did amplify push. It has updated SNS region in Cognito console to ap-south-1 as per override configuration. However, no change in the SMS functionality. Amplify Auth SNS mode is still set to sandbox and we still can not send SMS to unverified phone numbers.

Please advise how to move forward on this. Somehow Cognito does not recognise that we have production access in the given region. Please let me know if we can do a quick remote session to resolve this. Thanks.

[josefaidt]

Hey @vrajasekhar1 is the sandbox mode displaying in the SNS console or the Cognito console?

[vrajasekhar1]

Hi @josefaidt

Our SNS Console shows:
This account has production access in the Asia Pacific (Mumbai).
You can deliver SMS messages to any phone number.

However, Amplify Studio console and Cognito console show that we are still in sandbox mode.
Attached the screenshots for the same.

Please Note:
We have already increased the spending limit in the given AWS region and have registered Sender IDs.

[josefaidt]

Hey @vrajasekhar1 thanks for clarifying! can you verify whether the originating identity is verified in your SNS console? the configuration looks fine

[vrajasekhar1]

Hi @josefaidt
For India, we use Sender ID as Originator type and we already have registered Sender IDs provisioned in AWS End User Messaging console. Am I missing something?

I guess we are missing something trivial or there is some uncovered bug with Cognito/SNS. A quick remote session of 10-15 mins would really help and saves lot of time. Can we do a quick remote session today if possible? I am available on discord.

Thanks.

[vrajasekhar1]

Hi @josefaidt ,
Any update on this bug please? Is there anything I can do to expedite this. Please let me know.

Thanks.

[josefaidt]

Hey @vrajasekhar1 can you confirm whether the appropriate SnsRegion is configured in your auth override? https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SmsConfigurationType.html

For optimal results it is recommended to use the same region as your user pool https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html#sms-choose-a-region

[vrajasekhar1]

Hi @josefaidt
I have already confirmed that correct SnsRegion is configured with auth override. I have also shared the screenshot of Cognito console which shows correct SnsRegion.

Thanks.

[josefaidt]

Hey @vrajasekhar1 thanks for clarifying. The configuration appears correct. Would you mind reaching out to AWS Support for more insight into the cross-region configuration with Cognito and SNS? https://aws.amazon.com/contact-us/

[vrajasekhar1]

Hi @josefaidt Could you please share your observations/findings about this bug so far? To my knowledge, we followed all steps as per the documentation and Amplify still does not recognise that SNS is in production mode, isn’t it supposed to be a bug that needs to be fixed?

[cwomack]

@vrajasekhar1, our Discord server (where I think you started this conversation/issue from) may be a better route for doing a screenshare or follow up. But were you able to reach out to the AWS Support team on this yet? I think you're spot on that our documentation will only take you so far into getting the SNS account ready for production, and then we rely on/link the Pinpoint docs directly here.

I ask because this may be something that we can't impact much on the Amplify side.

[vrajasekhar1]

Hi Chris,
Initially I started discussing this issue on discard and you asked me to create a bug. However, we could not make much progress on this. Hence we are thinking whether to continue with Amplify or something else.

Please note, we did follow everything as per SNS & Pinpoint documentation and we are able to send SMS using SNS console, but Amplify still shows SNS mode as sandbox and can not send SMS to unverified phone numbers.

Assuming there is a dependency issue with SNS/Pinpoint and Amplify does not work as expected, do you still track the issue with Amplify and ensure issue gets resolved OR you would simply redirect the customers to work with other teams? Just trying to understand the protocol.

[cwomack]

@vrajasekhar1, there are some steps in the SNS and Pinpoint setup process that we don't have fully documented on the Amplify side in the event that the Pinpoint documentation or steps change. However, we've heard similar frustrations in the past on getting numbers set up for production when going through this flow. Can you send me a DM on our Discord server so that we can set up a day/time to review this on a call? Don't want you to share any contact information publicly on the Github repo here.

I'll also be marking this issue as a documentation feature request to ensure the docs and process for setting up the SNS account is thorough and reviewed again in full detail.

[vrajasekhar1]

@cwomack , thanks for checking this. I have sent you a DM on discord. We can connect anytime thats convenient for you.