By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cannot get developer authenticated identities to work

0

We have setup an Identity Pool with our own Custom provider. On our backend (node sdk v2), we are calling .getOpenIdTokenForDeveloperIdentity() and we are successfully getting back OpenID tokens for our users.

But then, both with iOS SDK (using AWSCore from Mobile SDK) and with a JS Client, we are receiving this error when calling .getCredentialsForIdentity():

Invalid identity pool configuration. Check assigned IAM roles for this pool

Here is the code:

await Cognito.getCredentialsForIdentity({
      IdentityId: identity,  // received from our backend
      Logins: {
        'cognito-identity.amazonaws.com': openIdToken, // received from our backend
      },
    }).promise();

Role assumed by authenticated users has this Trust Relationship set:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<Identity Pool ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

And the OpenID Token generated with the .getOpenIdTokenForDeveloperIdentity() API looks like this:

{
  "sub": "<User Identity ID>",
  "aud": "<Identity Pool ID>",
  "amr": [
    "authenticated",
    "<our custom Provider Name, e.g. example.com>",
    "<Custom Provider Name>:<Region>:<Identity Pool ID>:<User ID of our backend>"
  ],
  "https://aws.amazon.com/tags": {
    "principal_tags": {
      "userType": ["client"]
    }
  },
  "iss": "https://cognito-identity.amazonaws.com",
  "https://cognito-identity.amazonaws.com/identity-pool-arn": "<Identity Pool ARN>",
  "exp": 1615736591,
  "iat": 1615650191
}

We can't figure out what we are doing wrong. We believe to have done all steps as they are documented...

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
vacum
asked 3 years ago642 views
3 Answers
0

After almost a day.... the problem turned out to be "PrincipalTags".

const cognitoResponse = await Cognito.getOpenIdTokenForDeveloperIdentity({
    IdentityPoolId: '<Identity Pool ID>',
    IdentityId: '<Identity ID>',
    Logins: {
      '<provider name>': userId,
    },
    PrincipalTags: { // THIS IS THE ISSUE
      'userType': 'client',
    },
    TokenDuration: 86400,
  }).promise();

I don't know why, but I got it working by removing it ...

vacum
answered 3 years ago
  • mpaul
    8 months ago

    Ran into the same issue.

    After some playing around, I found that I could provide standard tag values (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html), but providing custom tags results in the same error you received. I believe you'd need to update your trust policy to allow both "sts:AssumeRoleWithWebIdentity" and "sts:TagSession".

    If anyone figures out how to add custom attributes, please let me know. Tried it multiple ways, and every time received the same error

  • mpaul
    8 months ago

    Hmm.. I just tried it today and custom tags worked just fine. I do have "sts:TagSession" in my Trusted entities, but I also had that the last time I attempted this when it didn't work. The only thing I can think of that might be different between then and now is either that something was being cached in my session, or AWS made a fix on their end to support it.

0

I also faced the same issue. It seems that sts:TagSession must be allowed to getCredentialsForIdentity. There are details in the document below.

https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/id_session-tags.html

arstkn
answered a year ago
0

You have to modify trust relationships for the IAM role that linked to Identity pools

  1. Access to roles
  2. Search & open for the role that linked to your Identity pools
  3. Click on "trust relationships" tab
  4. Add the new action sts:TagSession
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession" <---- this one
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/using-attributes-for-access-control-policy-example.html

ERashdan
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content