AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

How is the right authentication flow using Cognito?

0

Hi,

I'm working on a simple PoC where I just want to explore the capabilities of AWS. Therefore my intention was very simple (I thought): I wanted to build a tiny infrastructure, that allows downloading S3 buckets to a Windows machine. So I used Cognito to create a user pool, created a new demo user and also created an app client with the authorization code flow enabled. Afterwards I created a new role which just gives full access to my AWS S3 service (of course just for testing purposes), assigned this role to a group and assigned my demo user to this group. As I was able to receive OAuth 2.0 tokens from Cognito I went over to the next step: Build an application in .NET Core 8 which does exactly what I did in Insomnia before: Authenticate against Cognito and download a S3 bucket. Of course I could just create an AWS profile on the machine and then just call the S3 SDK but then all API calls are done with my AWS account. This is exactly NOT what I want. Moreover I want to manage some users, give them access to some buckets and thats it.

So I developed a small application for the taskbar which opens the web browser, redirects the user to the Cognito login page and redirect back to the web server of the app. With the gathered authorization code I then fetched an OAuth 2.0 token using the plain HttpClient class.

But now I'm confused. How should I access the S3 bucket now?

It already took hours searching the web to find out that I need to assume a role using the secure token service providing my OAuth 2.0 credentials and then receive AWS credentials which then can be used to contact S3 using the SDK. So I used the AmazonSecurityTokenServiceClient. But I get an error, that I'm Unable to get IAM security credentials from EC2 Instance Metadata Service. But how does the EC2 service now come into play?

// Get AWS credentials using the identity pool
AmazonSecurityTokenServiceClient secureTokenService = new AmazonSecurityTokenServiceClient(RegionEndpoint.EUNorth1);
AssumeRoleWithWebIdentityResponse roleResponse = await secureTokenService.AssumeRoleWithWebIdentityAsync(new AssumeRoleWithWebIdentityRequest()
{
	ProviderId = "www.amazon.com",
	WebIdentityToken = tokenResponse?.AccessToken,
	RoleArn = "arn:aws:iam::<rand-number>:role/cognito-hello-world",
});

To summarize: I guess I'm kind of lost in the big environment AWS provides. Maybe you can give me a hint of clear my confusion about it.

Thanks in advance, Dictyosom

주제
스토리지보안, 신원 및 규정 준수AWS의 .NET컴퓨팅
태그
아마존 심플 스토리지 서비스AWS 자격 증명 및 액세스 관리아마존 CognitoAWS의 .NET윈도우
언어
English
Dictyosom
질문됨 5달 전471회 조회
1개 답변
0
수락된 답변

Hey Dictyosom, there's a lot of services to get familiar with, especially around identity. Hopefully these links are helpful.

It sounds like you're looking to directly use your user pool access tokens, to access to AWS services via STS, and I think the step you're missing is the use of Cognito identity pools.

The typical flow would be to have users authenticate to your user pool, and then retrieve AWS credentials via an Identity Pool. You can find more details about that process in the developer guide here.

When you set the IAM role for a Cognito user pool group, a user in that group can use their access token to authenticate with an Amazon Cognito identity pool and they can receive credentials for the requested role.

AWS
Trevor Schiavone
답변함 5달 전
  • Dictyosom
    5달 전

    Great, thanks! As I'm digging deeper in the AWS infrastructure everything starts to make sense right now.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠