Amplify Auth and Android: credentials (accessKey, secretKey) invalid

0

i have set up an android app to use amplify auth.

i have allowed it to accept unauthorized (guest) users and google federated sign in.

it all seems to work as expected. i can log in using google sign in and cognito.

i am experiencing a problem with using the temporary credentials generated for the google sign in and the guest user.

i have set up an api in apigateway (the pet example imported into my apigateway). i can access the endpoint using a user with policy allowing invoke api. i test in postman using the users accessKey and secretKey and it works.

it also works when i use the cognito logged in users' idToken.

(i have added allow invoke api to the auth and unauth roles' policies for the identity pool used)

if i use the accessKey and secretKey generated for the guest using this code:

public void getGuestCredentials(View view) {
Log.i(TAG, "inside getGuestCredentials()...");
Amplify.Auth.fetchAuthSession(
result -> {
AWSCognitoAuthSession cognitoAuthSession = (AWSCognitoAuthSession) result;
Log.i(TAG, "Is user signed in: "+cognitoAuthSession.isSignedIn());//is false

                switch(cognitoAuthSession.getIdentityId().getType()) {  
                    case SUCCESS:  
                        Log.i(TAG, "success IdentityId: " + cognitoAuthSession.getIdentityId().getValue());  
                        Log.i(TAG, "success access key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSAccessKeyId());  
                        Log.i(TAG, "success secret key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSSecretKey());  
                        break;  
                    case FAILURE:  
                        Log.i(TAG, "failure IdentityId not present because: " + cognitoAuthSession.getIdentityId().getError().toString());  
                        break;  
                    default:  
                        Log.i(TAG, "default IdentityId: " + cognitoAuthSession.getIdentityId().getValue());  
                        Log.i(TAG, "default access key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSAccessKeyId());  
                        Log.i(TAG, "default secret key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSSecretKey());  
                        break;  

                }  
            },  
            error -> Log.i("AuthQuickStart", error.toString())  
    );  
	  

I get:

"message": "The security token included in the request is invalid."

in postman.

the same with the keys generated for the google signin using this code:

// sign in as federated user using google token (using escape hatch)
AWSMobileClient mobileClient = (AWSMobileClient) Amplify.Auth.getPlugin("awsCognitoAuthPlugin").getEscapeHatch();
// mobileClient.federatedSignIn(IdentityProvider.GOOGLE.toString(), account.getIdToken(), new Callback<UserStateDetails>() {
mobileClient.federatedSignIn("accounts.google.com", account.getIdToken(), new Callback<UserStateDetails>() {

            @Override  
            public void onResult(final UserStateDetails userStateDetails) {  
                //Handle the result  
                Log.i(TAG, "mobileClient login result: " + userStateDetails.getUserState().toString());  
                Log.i(TAG, "success google federation, going to authenticated user page.... ");  

// ************************************************

                AWSCredentials credentials = mobileClient.getCredentials();  
                Log.i(TAG, "***** secret key: "+credentials.getAWSSecretKey());  
                Log.i(TAG, "***** access key: "+credentials.getAWSAccessKeyId());  
				  
				.....  
				  

appreciate any help to solve this. thanks

asked 4 years ago1045 views
2 Answers
0

For guest access you should be using AWS_IAM as authorizationType. You may want to consider using multiple APIs set up with the same endpoint and different authorization mode in your amplifyconfiguration.json. It will look like the following:

{  
    "awsAPIPlugin": {  
        "REST_AWS_IAM": {  
            "endpointType": "REST",  
            "endpoint": "<YOUR-REST-ENDPOINT>",  
            "region": "us-west-2",  
            "authorizationType": "AWS_IAM"  
        },  
        "REST_AMAZON_COGNITO_USER_POOLS": {  
            "endpointType": "REST",  
            "endpoint": "<YOUR-REST-ENDPOINT>",  
            "region": "us-west-2",  
            "authorizationType": "AMAZON_COGNITO_USER_POOLS"  
        }  
    }  
}  

The API name should be specified when invoking the API for each use-case. For example, you may do the following for guest access:

Amplify.API.post(  
    "REST_AWS_IAM",  
    options,  
    () -> {}, //success callback  
    () -> {}  //error callback  
);  

Edited by: raphkim on Oct 5, 2020 3:34 PM

raphkim
answered 4 years ago
0

thanks for the help.

i managed to find the solution:

"When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials. The temporary credentials expire after a specified interval."

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions