- Newest
- Most votes
- Most comments
Hello,
Your OIDC token can't assume a role! Here's likely culprits:
- Role Trust Policy: Make sure it allows web identity federation with Cognito from your user pool.
- Identity Pool Mapping: Ensure "Authenticated role" points to the desired role you want users to assume.
- Identity Pool Roles: Double-check both "Unauthenticated role" and "Authenticated role" are defined.
AWS Documentation: Getting Started with Cognito Identity Pools: https://aws.amazon.com/cognito/getting-started/
Check Role Permissions: Ensure that the IAM role associated with your identity pool has the sts:AssumeRoleWithWebIdentity permission for the OIDC provider.
Verify Trust Relationship Policy: Confirm that the trust relationship policy of the role allows the OIDC provider (Amazon Cognito) to assume the role. Include the OIDC provider’s ARN in the policy.
Validate OIDC Token: Make sure the OIDC token is valid and correctly formatted. Any issues with the token can cause role assumption failures.
Review Identity Pool Configuration: Double-check the identity pool configuration. Ensure that the assigned IAM roles are correctly associated with the pool and that the ARN format is accurate.
Relevant content
- Accepted Answerasked 6 years ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago