3 Respuestas
- Más nuevo
- Más votos
- Más comentarios
0
After almost a day.... the problem turned out to be "PrincipalTags".
const cognitoResponse = await Cognito.getOpenIdTokenForDeveloperIdentity({ IdentityPoolId: '<Identity Pool ID>', IdentityId: '<Identity ID>', Logins: { '<provider name>': userId, }, PrincipalTags: { // THIS IS THE ISSUE 'userType': 'client', }, TokenDuration: 86400, }).promise();
I don't know why, but I got it working by removing it ...
respondido hace 3 años
0
I also faced the same issue.
It seems that sts:TagSession
must be allowed to getCredentialsForIdentity.
There are details in the document below.
https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/id_session-tags.html
respondido hace un año
0
You have to modify trust relationships for the IAM role that linked to Identity pools
- Access to roles
- Search & open for the role that linked to your Identity pools
- Click on "trust relationships" tab
- Add the new action
sts:TagSession
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession" <---- this one
],
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
respondido hace 3 meses
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
Ran into the same issue.
After some playing around, I found that I could provide standard tag values (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html), but providing custom tags results in the same error you received. I believe you'd need to update your trust policy to allow both "sts:AssumeRoleWithWebIdentity" and "sts:TagSession".
If anyone figures out how to add custom attributes, please let me know. Tried it multiple ways, and every time received the same error
Hmm.. I just tried it today and custom tags worked just fine. I do have "sts:TagSession" in my Trusted entities, but I also had that the last time I attempted this when it didn't work. The only thing I can think of that might be different between then and now is either that something was being cached in my session, or AWS made a fix on their end to support it.