Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Amplify Auth and Android: credentials (accessKey, secretKey) invalid

0

i have set up an android app to use amplify auth.

i have allowed it to accept unauthorized (guest) users and google federated sign in.

it all seems to work as expected. i can log in using google sign in and cognito.

i am experiencing a problem with using the temporary credentials generated for the google sign in and the guest user.

i have set up an api in apigateway (the pet example imported into my apigateway). i can access the endpoint using a user with policy allowing invoke api. i test in postman using the users accessKey and secretKey and it works.

it also works when i use the cognito logged in users' idToken.

(i have added allow invoke api to the auth and unauth roles' policies for the identity pool used)

if i use the accessKey and secretKey generated for the guest using this code:

public void getGuestCredentials(View view) {
Log.i(TAG, "inside getGuestCredentials()...");
Amplify.Auth.fetchAuthSession(
result -> {
AWSCognitoAuthSession cognitoAuthSession = (AWSCognitoAuthSession) result;
Log.i(TAG, "Is user signed in: "+cognitoAuthSession.isSignedIn());//is false

                switch(cognitoAuthSession.getIdentityId().getType()) {  
                    case SUCCESS:  
                        Log.i(TAG, "success IdentityId: " + cognitoAuthSession.getIdentityId().getValue());  
                        Log.i(TAG, "success access key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSAccessKeyId());  
                        Log.i(TAG, "success secret key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSSecretKey());  
                        break;  
                    case FAILURE:  
                        Log.i(TAG, "failure IdentityId not present because: " + cognitoAuthSession.getIdentityId().getError().toString());  
                        break;  
                    default:  
                        Log.i(TAG, "default IdentityId: " + cognitoAuthSession.getIdentityId().getValue());  
                        Log.i(TAG, "default access key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSAccessKeyId());  
                        Log.i(TAG, "default secret key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSSecretKey());  
                        break;  

                }  
            },  
            error -> Log.i("AuthQuickStart", error.toString())  
    );

I get:

"message": "The security token included in the request is invalid."

in postman.

the same with the keys generated for the google signin using this code:

// sign in as federated user using google token (using escape hatch)
AWSMobileClient mobileClient = (AWSMobileClient) Amplify.Auth.getPlugin("awsCognitoAuthPlugin").getEscapeHatch();
// mobileClient.federatedSignIn(IdentityProvider.GOOGLE.toString(), account.getIdToken(), new Callback<UserStateDetails>() {
mobileClient.federatedSignIn("accounts.google.com", account.getIdToken(), new Callback<UserStateDetails>() {

            @Override  
            public void onResult(final UserStateDetails userStateDetails) {  
                //Handle the result  
                Log.i(TAG, "mobileClient login result: " + userStateDetails.getUserState().toString());  
                Log.i(TAG, "success google federation, going to authenticated user page.... ");

// ************************************************

                AWSCredentials credentials = mobileClient.getCredentials();  
                Log.i(TAG, "***** secret key: "+credentials.getAWSSecretKey());  
                Log.i(TAG, "***** access key: "+credentials.getAWSAccessKeyId());  
				  
				.....

appreciate any help to solve this. thanks

Themen
Frontend-Web & Mobile
Tags
AWS Amplify
Sprache
English
101apps2
gefragt vor 4 Jahren1009 Aufrufe
2 Antworten
0

For guest access you should be using AWS_IAM as authorizationType. You may want to consider using multiple APIs set up with the same endpoint and different authorization mode in your amplifyconfiguration.json. It will look like the following:

{  
    "awsAPIPlugin": {  
        "REST_AWS_IAM": {  
            "endpointType": "REST",  
            "endpoint": "<YOUR-REST-ENDPOINT>",  
            "region": "us-west-2",  
            "authorizationType": "AWS_IAM"  
        },  
        "REST_AMAZON_COGNITO_USER_POOLS": {  
            "endpointType": "REST",  
            "endpoint": "<YOUR-REST-ENDPOINT>",  
            "region": "us-west-2",  
            "authorizationType": "AMAZON_COGNITO_USER_POOLS"  
        }  
    }  
}

The API name should be specified when invoking the API for each use-case. For example, you may do the following for guest access:

Amplify.API.post(  
    "REST_AWS_IAM",  
    options,  
    () -> {}, //success callback  
    () -> {}  //error callback  
);

Edited by: raphkim on Oct 5, 2020 3:34 PM

raphkim
beantwortet vor 4 Jahren
0

thanks for the help.

i managed to find the solution:

"When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials. The temporary credentials expire after a specified interval."

101apps2
beantwortet vor 4 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt