- Newest
- Most votes
- Most comments
Role Assignment via Cognito Groups:
You have created a Cognito user group (BetaWhiteListReadAccess) and associated it with an IAM role (BetaWhiteListReadAccess) that grants permissions to access DynamoDB.
**Identity Pool and Role Resolution: ** You've configured an identity pool to use an existing IAM role (BasicAuthRole) for authenticated users from the Cognito user pool.
You expect users from the Cognito group (BetaWhiteListReadAccess) to assume the BetaWhiteListReadAccess role when accessing AWS resources.
STS GetCredentialsForIdentity Issue:
After obtaining credentials using GetCredentialsForIdentity and configuring AWS CLI profiles, you're seeing that the assumed role (BasicAuthRole) from the identity pool is used instead of the expected group role (BetaWhiteListReadAccess).
Access Denied Error:
When attempting to access DynamoDB using the assumed role (BasicAuthRole), you're encountering an AccessDeniedException because the role does not have permissions for DynamoDB operations.
Resolution Steps To resolve these issues and ensure that users from your Cognito group (BetaWhiteListReadAccess) correctly assume the BetaWhiteListReadAccess IAM role, follow these steps:
Identity Pool Configuration:
Make sure your identity pool is configured to allow users from the Cognito user pool to assume roles based on the preferred_role claim. Ensure the following settings are correctly configured:
Authenticated role: Use an existing IAM role (BasicAuthRole or another role that allows users to assume roles). Role resolution: Choose role with preferred_role claim in tokens.
Cognito User Pool Group Configuration:
Ensure that users who should have access to BetaWhiteListReadAccess role are correctly assigned to the BetaWhiteListReadAccess group within the Cognito user pool.
Verify Cognito Claims:
Verify that when users authenticate, the ID token they receive includes the cognito:preferred_role claim with the value arn:aws:iam::<your-account-id>:role/BetaWhiteListReadAccess.
STS GetCredentialsForIdentity and AWS CLI Profiles:
Ensure that when using GetCredentialsForIdentity, you correctly handle the credentials received and set up AWS CLI profiles (aws_access_key_id, aws_secret_access_key, aws_session_token).
Testing Access:
After configuring the above settings, test access to DynamoDB using the AWS CLI with the correct profile (--profile user) that reflects the BetaWhiteListReadAccess role credentials.
IAM Role Policies:
Review and ensure that the IAM role (BetaWhiteListReadAccess) has the necessary permissions (dynamodb:DescribeTable) attached via an IAM policy. This policy should allow actions on DynamoDB resources as needed.
Troubleshooting Tips
IAM Policy Evaluation: Double-check the IAM policies attached to BetaWhiteListReadAccess role to ensure they include the necessary permissions for DynamoDB (dynamodb:DescribeTable).
Cognito Claims: Verify that the preferred_role claim is correctly populated in the ID token for users in the BetaWhiteListReadAccess group.
AWS CLI Profile: Ensure that the AWS CLI profile (--profile user) used in your commands is correctly configured with the credentials obtained from GetCredentialsForIdentity.
Relevant content
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago