Amplify gen2 - User added to default Group by, assumes only Group Role, does not assume amplifyAuthauthenticatedUser Role

[sevuganhari]

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

21.6.2

Amplify CLI Version

12.9.0

What operating system are you using?

mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Describe the bug

Using Amplify Gen2
User Signup flow - adds user to a ["DEFAULTGROUP"] by post-confirmation function.
On AWS IAM, There is a GROUP - IAM Role that's created.
Also there is a amplifyAuthauthenticatedUser - IAM Role that exist.

In AWS Storage, if we have access control to let user to read/write/delete files
'upload-user/{entity_id}/*':[
allow.entity('identity').to(["read","write","delete"])
],

and another storage location where Group Users can read/write/delete files
'upload-group/*':[
allow.groups(['DEFAULTGROUP']).to(['read','write','delete']),
]

• Issue
  Once user is authenticated, they only assume the IAM Role of DEFAULT GROUP, hence they are able to read/write/delete only on the upload-group/*
  They need to assume the amplifyAuthauthenticatedUser* in order to be able to write into upload-user/{entity_id}/
  The ID Token shows only one role which is the DefaultGroups IAM Role, and no other role.

Expected behavior

Once user is authenticated, as they belong to DEFAULTGROUP, they should be able to write into both upload-user/{entity_id}/* and upload-group/*

Reproduction steps

1. Setup regular auth for Amplify Gen2 with Cognito but add groups - https://docs.amplify.aws/react/build-a-backend/auth/concepts/user-groups/
2. User can be added to one of the groups thru post auth flow- https://docs.amplify.aws/react/build-a-backend/functions/examples/add-user-to-group/
3. Add Storage to your Project, and give user to write into a folder that allows only allow.entity('identity'). to read/write/delete objects, and another to allow.groups to allow the users group to read/write/delete - https://docs.amplify.aws/react/build-a-backend/storage/authorization/
4. Now trying uploading using StorageManager or FileUpload, it would allow you to upload the file only where the group has permission to upload, and not to upload-user/{enitity_id} , and would give you permission error.

Project Identifier

No response

Log output

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[ykethan]

thanks for raising this! I'm going to transfer this over to our Amplify backend repository as this is a Gen 2 issue.

[ykethan]

Hey @sevuganhari, thank you for reaching out. The behavior is currently being tracked on #1771
Do add a 👍 on the issue to help us in prioritizing this issue.
Closing this issue as this is being tracked on #1771