By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

action geo:GetPlace not recognizable for IAM policy

0

currently working on an app that uses the Amazon Location Service.

Everything is working wwll from render map to autocomplete and reverse geocoding.

But i would like to use the results from autocomplete by using the method geo:GetPlace using PlaceIndex and PlaceID. The function is being called successfully with the correct parameters but the function is returning an err 403 saying that the user is not authorized to use action geo:GetPlace. I have configured the IAM policy using Cognito and has appropriate actions and resources. But when i try to enter geo:GetPlace i get an error that it is not recognizable. Anyone knows how to enter this action to the IAM Policy.

Here is the error:

AccessDeniedException: User: arn:aws:sts::58*******976:assumed-role/Cognito_*************Management_***/CognitoIdentityCredentials is not authorized to perform: geo:GetPlace on resource: arn:aws:geo:ap-southeast-1:58*****65976:*

Here is my code:

    const identityPoolId = "ap-southeast-1:*******-6dcb-***-ad06-*******";      

    AWS.config.region = identityPoolId.split(":")[0];
          // instantiate an Amazon Cognito-backed credential provider
      const credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: identityPoolId,
      });
    
      const location = new AWS.Location({ credentials, region: AWS.config.region });

 

     const getLocation = (placeID) => () => {
        console.log("getting place..");
        console.log(placeID);
    
        let params = {
          IndexName: "IndexGrabber",
          PlaceId: placeID,
        };
    
        location.getPlace(params, function (err, data) {
          if (err) console.log(err.stack);
          console.log(data);
        });
      };

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "geo:SearchPlaceIndexForText",
                "geo:SearchPlaceIndexForSuggestions",
                "geo:GetMap*",
                "geo:SearchPlaceIndexForPosition"
            ],
            "Resource": [
                "arn:aws:geo:ap-southeast-1:************:place-index/HEREGrabber",
                "arn:aws:geo:ap-southeast-1:************:place-index/LocationGrabber",
                "arn:aws:geo:ap-southeast-1:************:map/LocationGrabber",
                "arn:aws:geo:ap-southeast-1:************:map/GreyLocationGrabber",
                "arn:aws:geo:ap-southeast-1:************:map/HEREGrabber"
            ],
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://localhost:*/*",
                        "http://jularbs.com:*/*",
                        "http://*******.herokuapp.com/*"
                    ]
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "geo:GetPlace",
            "Resource": [
                "arn:aws:geo:ap-southeast-1:************:place-index/HEREGrabber",
                "arn:aws:geo:ap-southeast-1:************:place-index/LocationGrabber",
                "arn:aws:geo:ap-southeast-1:************:map/LocationGrabber",
                "arn:aws:geo:ap-southeast-1:************:map/GreyLocationGrabber",
                "arn:aws:geo:ap-southeast-1:************:map/HEREGrabber"
            ],
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://localhost:*/*",
                        "http://jularbs.com:*/*",
                        "http://*******.herokuapp.com/*"
                    ]
                }
            }
        }
    ]
}
Topics
Front-End Web & MobileSecurity, Identity, & Compliance
Tags
Amazon Location ServiceAWS Identity and Access ManagementAmazon Cognito
Language
English
jularbs
asked 2 years ago482 views
3 Answers
3

@jularbs I successfully called GetPlace using an unauthenticated Cognito pool. I tried the steps you've mentioned with the following IAM policy. Please let me know if it works for you.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PlacesReadOnly",
            "Effect": "Allow",
            "Action": [
                "geo:SearchPlaceIndex*",
                "geo:GetPlace"
            ],
            "Resource": "arn:aws:geo:us-east-1:************:place-index/*"
        }
    ]
}

Here's the (greatly simplified) code I'm using to call GetPlace:

const AWS = require('aws-sdk')
AWS.config.update({ region: 'us-east-1' })

const credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: 'us-east-1:********-****-****-****-************'
})

const location = new AWS.Location({
  credentials,
  region: AWS.config.region || 'us-east-1'
})

async function main () {
  const suggestions = await location.searchPlaceIndexForSuggestions({ IndexName: /*name*/, Text: /*text*/ }).promise()
  const placeID = suggestions.Results[0].PlaceId
  const place = await location.getPlace({ IndexName: /*name*/, PlaceId: placeID }).promise()
  console.log(place)
}

main()
AWS
patyuk
answered a year ago
  • Devesh
    a year ago

    Thanks patyuk!

0

Error

Having a look at the error:

"AccessDeniedException: User: arn:aws:sts::58*******976:assumed-role/Cognito_*************Management_***/CognitoIdentityCredentials is not authorized to perform: geo:GetPlace on resource: arn:aws:geo:ap-southeast-1:58*****65976:*",

it looks like the role associated with Cognito identity pool doesn't have the permission to perform the action or doesn't adhere with the condition mentioned in the permission policy associated.

Replication

Using the below permission policy, I was able to get place ID details :

CLI: aws location get-place --index-name explore.place --place-id AQAAAIw...QWQ

IAM Policy used:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "geo:GetPlace"
            ],
            "Resource": "arn:aws:geo:*:0123456789:place-index/*",
            "Condition": {
                "StringLikeIfExists": {
                    "aws:Referer": "http://localhost:*/*"
                }
            }
        }
    ]
}

Summary

In regard to your issue, it would require some troubleshooting in order to isolate the issue here. There can be multiple avenues to look at the issue:

  • Is condition criteria met ?
  • Is there any SCP restricting the action ?
  • Check error logs to verify the error

That been said, I can see that you have associated a global condition "aws:Referer", so kindly make sure that referrer in the request sent indeed have referrer as included in the IAM policy. The aws:referer request context value is provided by the caller in an HTTP header. The Referer header is included in a web browser request when you select a link on a web page. Please note that when you perform the action by typing the URL into your browser, aws:referer is not present. When you invoke the API directly, aws:referer is also not present.

Having said that, I would recommend using the permission policy shared above and see if it works for you. You may also try to remove the condition and try to isolate the issue. If it still doesn't work for you, I would recommend reaching out to our "Amazon Location service" team through a support case to further troubleshoot, as it would require some tests to be performed in order to narrow down the issue here.

Thank you.

profile pictureAWS
SUPPORT ENGINEER
Varun
answered 2 years ago
  • jularbs
    2 years ago

    while editing my IAM policy, I am getting this error: Ln 10, Col 16Invalid Action: The action geo:GetPlace does not exist. Do i ignore this error?

  • Varun SUPPORT ENGINEER
    2 years ago

    Yes, you may ignore that error.

  • jularbs
    2 years ago

    Still getting the same error, removed the referer to be sure. tried using geo:* in actions still no use. Also tried using All Resources, still no use. I am using the same IdentityPool for all actions. GetMap* and SearchIndexPlaceFor* works but GetPlace doesn't.

    if it may help, the action geo:GetPlace is not defined by Amazon Location based on https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html

    is geo:GetPlace unusable as of the moment?

0

Just an FYI, GetPlace didnt work with via Cognito with an IAM policy indicated above, but using AWS Access Key and Secret Key for credentials worked for me. I just set my aws config with:

AWS.config.credentials = { accessKeyId: process.env.AWS_ACCESS_KEY_ID, secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY, };

Then i create location object as usual

const location = new AWS.Location({ region: AWS.config.region, });

But i still use my cognito identity pool for my map initialize.

jularbs
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content