3 Answers
- Newest
- Most votes
- Most comments
0
After almost a day.... the problem turned out to be "PrincipalTags".
const cognitoResponse = await Cognito.getOpenIdTokenForDeveloperIdentity({ IdentityPoolId: '<Identity Pool ID>', IdentityId: '<Identity ID>', Logins: { '<provider name>': userId, }, PrincipalTags: { // THIS IS THE ISSUE 'userType': 'client', }, TokenDuration: 86400, }).promise();
I don't know why, but I got it working by removing it ...
answered 3 years ago
0
I also faced the same issue.
It seems that sts:TagSession
must be allowed to getCredentialsForIdentity.
There are details in the document below.
https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/id_session-tags.html
answered a year ago
0
You have to modify trust relationships for the IAM role that linked to Identity pools
- Access to roles
- Search & open for the role that linked to your Identity pools
- Click on "trust relationships" tab
- Add the new action
sts:TagSession
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession" <---- this one
],
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
answered 2 months ago
Relevant content
- asked 5 years ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
Ran into the same issue.
After some playing around, I found that I could provide standard tag values (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html), but providing custom tags results in the same error you received. I believe you'd need to update your trust policy to allow both "sts:AssumeRoleWithWebIdentity" and "sts:TagSession".
If anyone figures out how to add custom attributes, please let me know. Tried it multiple ways, and every time received the same error
Hmm.. I just tried it today and custom tags worked just fine. I do have "sts:TagSession" in my Trusted entities, but I also had that the last time I attempted this when it didn't work. The only thing I can think of that might be different between then and now is either that something was being cached in my session, or AWS made a fix on their end to support it.