By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

.NET SDK Cognito Identity InitiateAuth yields AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service

0

I am attempting to authorize users that I have added to a Cognito User Pool through a client application (like a website) using the .NET SDK.

.NET SDK version: 45-3.7.494.1

As far as I know I have set up everything correctly on the AWS side - user pool, federated identity pool tied to user pool, IAM auth & unauth roles tied to identity pool.

I added the user email to the user pool and now need them to login. However, on attempting to begin the process with the code below:

Auth Request Code Example

I get:

Error List

From what I can tell I am using the appropriate logic based on https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html and other associated documentation. I have also combed the internet (re:Post, git, stack) for some kind of hint with no luck. I had tried CognitoSync but this method proved more useful initially.

Any ideas or potential insight would be greatly appreciated!

Topics
Security, Identity, & Compliance.NET on AWS
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAmazon Cognito.NET on AWS
Language
English
rePost-User-3544658
asked a year ago490 views
1 Answer
0

I managed to find my way around this and am posting this response for anyone who has the same problems:

There are a few things wrong with the code listed:

  1. First, credentials need to be passed through when constructing the AmazonCognitoIdentityProviderClient (idClient). Otherwise the request instance hangs and the following error occurs: AmazonServiceException: Unable to get IAM security credentials from EC2 Instance Metadata Service
  2. The SRP_A value is a special value and needs code to comupte it (see Secure Remote Password on wiki). The C# code I found that works for this is here: https://github.com/aws/aws-sdk-net-extensions-cognito/tree/master/src/Amazon.Extensions.CognitoAuthentication/Util You will need all the scripts in the util folder.
  3. The call for InitiateAuth must be tied to something - in this case: Amazon.CognitoIdentityProvider.Model.InitiateAuthResponse

The correct code (as far as I can tell at this moment) is: Corrected Code

This returns the PASSWORD_VERIFIER challange as part of "response".

There may be issues with this I have yet to run into as I am still in the process on integrating - so please be careful.

rePost-User-3544658
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content