Error while getting AWS Credentials through "GetId" -> "GetCredentialsForIdentityCommand" using Google id_token

0

I am trying to authenticate users through their Gmail account using Identity Pool. I am successfully able to get Google id_token from Google but when I try to get AWS credentials after following this authentication flow doc, it gives me "Token is not from a supported provider of this identity pool." error. I've also tried calling "AssumeRoleWithWebIdentity" but I get "Not authorized to perform sts:AssumeRoleWithWebIdentity" error. This is the curl command I've used for GetID

curl --location 'https://cognito-identity.us-east-1.amazonaws.com' \
--header 'Content-Type:  application/x-amz-json-1.1' \
--header 'X-Amz-Target: AWSCognitoIdentityService.GetId' \
--data '{
    "IdentityPoolId": "us-east-1:<IDENTITY_POOL_ID>",
    "Logins": {
        "accounts.google.com": <GOOGLE_ID_TOKEN>
    }
}'

I get "Token is not from a supported provider of this identity pool." error for this.

This is the curl command I've used for AssumeRoleWithWebIdentity

curl --location 'https://sts.amazonaws.com' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'Action=AssumeRoleWithWebIdentity' \
--data-urlencode 'RoleArn=arn:aws:iam::<ACCOUNT_ID>:role/service-role/<ROLE_NAME>' \
--data-urlencode 'RoleSessionName=Mysession' \
--data-urlencode 'WebIdentityToken=<GOOGLE_ID_TOKEN>' \
--data-urlencode 'Version=2011-06-15'

I get "Not authorized to perform sts:AssumeRoleWithWebIdentity" error for this

I've updated the Trust policy to include "accounts.google.com" but still I get this error. Permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-identity:GetCredentialsForIdentity"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Trust Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:<IDENTITY_POOL_ID>"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "accounts.google.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "accounts.google.com:aud": "<GOOGLE_WEB_CLIENT_ID>"
                }
            }
        }
    ]
}

I've confirmed multiple times that the Client ID (Web) from Google matches the Client ID on Identity Pool. The "aud" in the Google id_token also matches the Google And Identity Pool Client ID.

The documentation says that I can authenticate Google users with only Identity Pool, so I have not created any User pool. I am just using Identity Pool to authenticate users.

Can you please help me to understand what am I doing wrong and what should I try get AWS credentials?

2 Answers
1
Accepted Answer

The error you are encountering, "Token is not from a supported provider of this identity pool," indicates an issue with the identity provider setup in your Amazon Cognito Identity Pool. Here are the steps to troubleshoot and resolve this issue:

Key Areas to Focus On: Correct Identity Provider Configuration:

Ensure that the Google identity provider is correctly added to your Cognito Identity Pool. Check that the Google Client ID in the Cognito Identity Pool settings exactly matches the Google Client ID from the Google Developer Console. Correct Permissions in IAM and Role Trust Policy:

Make sure that the IAM role trust policy includes the correct setup to allow sts:AssumeRoleWithWebIdentity for Google and Cognito Identity. Use the Right Token (Google ID Token):

Double-check that the Google ID token you are passing is valid and correctly formatted. The aud claim of the token must match the Google Client ID you've configured in the Cognito Identity Pool. Detailed Troubleshooting Steps:

  1. Verify Identity Pool Settings in Cognito: Go to the Cognito Console > Manage Identity Pools > select your Identity Pool. Under Identity Providers, ensure that Google is listed as one of the providers. Confirm that the Google Client ID is correct. If there are any discrepancies, update the Google Client ID to match the one in the Google Developer Console.

  2. Check Google Token Format: Use JWT.io to decode the Google ID token and check if the aud claim matches your Google Client ID.

  3. IAM Role and Trust Policy: a. Trust Policy: Make sure the trust policy is correctly configured for both Cognito and Google.

json Copy code { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:<IDENTITY_POOL_ID>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } }, { "Effect": "Allow", "Principal": { "Federated": "accounts.google.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "accounts.google.com:aud": "<GOOGLE_WEB_CLIENT_ID>" } } } ] } The second statement allows the Google identity token to be accepted. Ensure that the audience (aud) field is correct. b. Permissions: Add appropriate permissions to the IAM role to allow access to the Cognito Identity Pool.

json Copy code { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cognito-identity:GetId", "cognito-identity:GetCredentialsForIdentity" ], "Resource": "*" } ] } 4. AWS Cognito Flow: Use this flow for authenticating with Google through Cognito Identity Pool:

Get the Google ID token after successful sign-in with Google. Use the GetId API to exchange the Google ID token for a Cognito Identity ID. Use GetCredentialsForIdentity to exchange the Identity ID for temporary AWS credentials. 5. AssumeRoleWithWebIdentity: If you’re using AssumeRoleWithWebIdentity directly (bypassing Cognito):

Ensure that your IAM role has permissions to allow this action, and the trust policy allows Google ID tokens. Example of the request:

bash Copy code curl --location 'https://sts.amazonaws.com'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'Action=AssumeRoleWithWebIdentity'
--data-urlencode 'RoleArn=arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>'
--data-urlencode 'RoleSessionName=Mysession'
--data-urlencode 'WebIdentityToken=<GOOGLE_ID_TOKEN>'
--data-urlencode 'Version=2011-06-15' Ensure the role's trust policy allows this action and has the proper Google audience (aud). 6. Additional Debugging Steps: Use AWS CloudWatch logs to debug any IAM permission issues. Ensure the identity pool has been fully propagated after any updates (this may take a few minutes).

answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thank you for responding to my issue!

    After trying it again today, it works. "(this may take a few minutes)" at the bottom solved my problem. All I had to do wait for some time after making the changes in Roles and Policy and try again.

1

Based on the information provided, there are a few potential issues that could be causing the errors you're encountering:

  1. For the "GetId" request: The error "Token is not from a supported provider of this identity pool" suggests that the identity pool may not be properly configured to accept Google as an authentication provider. Make sure that you have added Google as an authentication provider in your identity pool settings in the AWS Console.

  2. For the "AssumeRoleWithWebIdentity" request: The error "Not authorized to perform sts:AssumeRoleWithWebIdentity" indicates that the role you're trying to assume doesn't have the necessary permissions or trust relationship set up correctly.

Here are some steps to troubleshoot and resolve these issues:

  1. Double-check your identity pool configuration:

    • Ensure that Google is added as an authentication provider in your identity pool settings.
    • Verify that the Google Client ID in the identity pool settings matches exactly with your Google Web Client ID.
  2. Review your IAM role trust policy:

    • Your trust policy looks mostly correct, but make sure the "cognito-identity.amazonaws.com:aud" value exactly matches your identity pool ID.
    • Ensure that the "accounts.google.com:aud" value in the trust policy matches your Google Web Client ID.
  3. Use the enhanced authentication flow: Instead of calling "AssumeRoleWithWebIdentity" directly, try using the enhanced authentication flow with "GetCredentialsForIdentity". This API is designed to work more seamlessly with Cognito Identity pools. The flow should be:

    a. Call "GetId" to obtain an identity ID. b. Use the obtained identity ID to call "GetCredentialsForIdentity".

    Here's an example of how the "GetCredentialsForIdentity" call might look:

    curl --location 'https://cognito-identity.us-east-1.amazonaws.com' \
    --header 'Content-Type: application/x-amz-json-1.1' \
    --header 'X-Amz-Target: AWSCognitoIdentityService.GetCredentialsForIdentity' \
    --data '{
        "IdentityId": "<IDENTITY_ID_FROM_GET_ID>",
        "Logins": {
            "accounts.google.com": "<GOOGLE_ID_TOKEN>"
        }
    }'
    
  4. Check your Google ID token: Ensure that your Google ID token is valid and not expired. You can decode the token at jwt.io to verify its contents and expiration.

  5. Verify your identity pool's IAM roles: Make sure that your identity pool has both authenticated and unauthenticated roles set up, and that these roles have the necessary permissions to access the AWS resources you need.

If you've verified all these points and are still encountering issues, you may need to review your AWS CloudTrail logs for more detailed error messages or contact AWS Support for further assistance.
Sources
GetCredentialsForIdentity - Amazon Cognito Federated Identities
Identity pools authentication flow - Amazon Cognito
AWS Identity and Access Management (IAM) Best Practices - Amazon Web Services
AssumeRoleWithWebIdentity - AWS Security Token Service
GetId - Amazon Cognito Federated Identities

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions