The OIDC token authenticated by the identity pool fails to obtain the corresponding authorization role credentials

0

I configured an identity pool with an authenticated role generated by default and started the classic authentication process. Then, I configured the identity provider as Amazon Cognito user group. In the user pool, I created corresponding users and application clients. The authentication flow of application clients is as follows: ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_PASSWORD_AUTH The user has been enabled and can log in through initiate-auth and admin-initiate-auth.

Next I use aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id CLIENTID--auth-parameters USERNAME=username,PASSWORD=password gets ID_TOEKN Then ID_TOEKN is used to pass the authentication of the identity pool: aws cognito-identity get-open-id-token --identity-id IDENTITY_ID --logins cognito-idp.ap-southeast-2.amazonaws.com/poolname=ID_TOEKN And then I got an OIDC token It's all good up front, and then it's all bad down the road.

The problem then arises when I use this token to role-play through aws sts assume-role-with-web-identity: aws sts assume-role-with-web-identity --role-arn ROLEARN--web-identity-token OIDC_TOKEN --role-session-name test Will be prompted An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

When I change the authentication process and use aws cognito-identity get-credentials-for-identity for authentication: aws cognito-identity get-credentials-for-identity --identity-id IDENTITY_ID --logins cognito-idp.ap-southeast-2.amazonaws.com/poolname=ID_TOEKN Will prompt An error occurred (InvalidIdentityPoolConfigurationException) when calling the GetCredentialsForIdentity operation: Invalid identity pool configuration. Check assigned IAM roles for this pool.

asked 2 months ago226 views
1 Answer
0
Accepted Answer

Hello,

Your OIDC token can't assume a role! Here's likely culprits:

  • Role Trust Policy: Make sure it allows web identity federation with Cognito from your user pool.
  • Identity Pool Mapping: Ensure "Authenticated role" points to the desired role you want users to assume.
  • Identity Pool Roles: Double-check both "Unauthenticated role" and "Authenticated role" are defined.

AWS Documentation: Getting Started with Cognito Identity Pools: https://aws.amazon.com/cognito/getting-started/

Check Role Permissions: Ensure that the IAM role associated with your identity pool has the sts:AssumeRoleWithWebIdentity permission for the OIDC provider.

Verify Trust Relationship Policy: Confirm that the trust relationship policy of the role allows the OIDC provider (Amazon Cognito) to assume the role. Include the OIDC provider’s ARN in the policy.

Validate OIDC Token: Make sure the OIDC token is valid and correctly formatted. Any issues with the token can cause role assumption failures.

Review Identity Pool Configuration: Double-check the identity pool configuration. Ensure that the assigned IAM roles are correctly associated with the pool and that the ARN format is accurate.

profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions