Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Role access to cognito-idp in ap-east-1 region denied

0

Hi community,

I was developing an application with Cognito user pool for auth. I was trying to interact with the cognito-idp using credentials from the assumed role and i kept getting the

UnrecognizedClientException: The security token included in the request is invalid

error.

I went to play around with the CLI after long hours of frustration. Oddly,

aws cognito-idp list-user-pools --region ap-east-1 --max-results 5 --profile temp_credentials

gives the same The security token included in the request is invalid error, while user pools in other regions can be properly listed.

I have tried the same using my own long term credentials and the user pools in the ap-east-1 region can be properly listed.

I have made sure ap-east-1 region is enabled and no policy is blocking the role's access to the region.

Would highly appreciate for any sharing of experience, or even better, a solution to this issue.

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoAWS Identity and Access Management
Language
English
asked a year ago142 views
1 Answer
0

The issue you're experiencing with the "UnrecognizedClientException: The security token included in the request is invalid" error when trying to interact with Amazon Cognito in the ap-east-1 region (Hong Kong) is likely related to the way your IAM role and temporary credentials are configured.

Here are a few things to consider:

  1. Region availability: While you mentioned that you've enabled the ap-east-1 region, it's worth double-checking that Cognito is fully supported in this region. Some AWS services have limited availability in newer regions.

  2. IAM role configuration: Ensure that the IAM role you're assuming has the necessary permissions to interact with Cognito in the ap-east-1 region. The role's trust policy should allow it to be assumed by the appropriate service or entity.

  3. Temporary credentials: When using assumed role credentials, make sure they haven't expired. Temporary credentials have a limited lifetime, typically 1 hour by default.

  4. AWS CLI configuration: Verify that your AWS CLI is properly configured with the correct region and profile settings.

  5. Token validation: Amazon Cognito performs strict validation of security tokens. Ensure that the clock on your local machine is accurately synchronized.

  6. Cross-region access: If you're trying to access a Cognito user pool in a different region than where it was created, this could cause issues.

To troubleshoot further:

  1. Double-check your IAM role permissions and ensure they explicitly allow actions on Cognito in the ap-east-1 region.

  2. Try generating new temporary credentials and ensure they're properly set in your environment or AWS CLI profile.

  3. Attempt to use long-term IAM user credentials (if available) to isolate whether the issue is specific to assumed role credentials.

  4. Verify that you're not hitting any service limits or quotas for Cognito in the ap-east-1 region.

  5. If possible, try creating and accessing a new user pool in ap-east-1 to see if the issue persists.

If none of these steps resolve the issue, you may need to contact AWS Support for further assistance, as there could be an underlying service or account-specific problem in the ap-east-1 region.
Sources
Using role-based access control - Amazon Cognito
SaaS authentication: Identity management with Amazon Cognito user pools | AWS Security Blog
AdminAddUserToGroup - Amazon Cognito User Pools

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content