I'm trying to get short-term credentials from STS using fromWebToken in Javascript v3 SDK. I'm getting:
InvalidIdentityTokenException: The ID Token provided is not a valid JWT. (You may see this error if you sent an Access Token)
const getTokenFromIdp = async () => {
const token = await auth.tokenManager.get("idToken");
return(token.idToken);
}
var oidcCredentials = fromWebToken({
roleArn: "arn:aws:iam::2222333344445556:role/OIDCroleReadS3",
roleSessionName: "session_111",
durationSeconds: 7200,
webIdentityToken: getTokenFromIdp()
})
const s3client = new S3({
region: "us-east-2",
credentials: oidcCredentials,
});
Here's the decoded JWT:
{
"sub": "00u3xs70zpX2OiH1n697",
"name": "Fred Flint",
"email": "fred.flint@atko.email",
"ver": 1,
"iss": "https://cis.demo-connect.us/oauth2/default",
"aud": "0oa49zm0l8U4WHON5697",
"iat": 1679326542,
"exp": 1679330142,
"jti": "ID.jl6Jdp2W9AQn9PgtoUk70JMSakxkXDzFXhxHkqhPG6I",
"amr": [
"swk"
],
"idp": "00o3xs70qnrVWzeJf697",
"nonce": "PqcXAaUIs6lOLvvddQF6r64eEDBKgrB6veq6B02uP7RjwxatgL4YVlkWtQYpTfEf",
"preferred_username": "fred.flint@atko.email",
"auth_time": 1679326540,
"at_hash": "lBn-EyIp98zRI9FqfAUOlw"
}
If I copy the encoded token value from console log returned from getTokenFromIdp() and hardcode the webIdentityToken property, the STS accepts the value. The token value is good when I test in jwt.io, so I'm confident that it's a valid identity token. Is there some other property check that could be failing that would give me this error message? I've seen a separate error message for audience mismatch, so I don't think that's a problem here.
BTW, in the example at https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_Examples, the WebIdentityToken doesn't look like a JWT. Thanks!