By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How is the right authentication flow using Cognito?

0

Hi,

I'm working on a simple PoC where I just want to explore the capabilities of AWS. Therefore my intention was very simple (I thought): I wanted to build a tiny infrastructure, that allows downloading S3 buckets to a Windows machine. So I used Cognito to create a user pool, created a new demo user and also created an app client with the authorization code flow enabled. Afterwards I created a new role which just gives full access to my AWS S3 service (of course just for testing purposes), assigned this role to a group and assigned my demo user to this group. As I was able to receive OAuth 2.0 tokens from Cognito I went over to the next step: Build an application in .NET Core 8 which does exactly what I did in Insomnia before: Authenticate against Cognito and download a S3 bucket. Of course I could just create an AWS profile on the machine and then just call the S3 SDK but then all API calls are done with my AWS account. This is exactly NOT what I want. Moreover I want to manage some users, give them access to some buckets and thats it.

So I developed a small application for the taskbar which opens the web browser, redirects the user to the Cognito login page and redirect back to the web server of the app. With the gathered authorization code I then fetched an OAuth 2.0 token using the plain HttpClient class.

But now I'm confused. How should I access the S3 bucket now?

It already took hours searching the web to find out that I need to assume a role using the secure token service providing my OAuth 2.0 credentials and then receive AWS credentials which then can be used to contact S3 using the SDK. So I used the AmazonSecurityTokenServiceClient. But I get an error, that I'm Unable to get IAM security credentials from EC2 Instance Metadata Service. But how does the EC2 service now come into play?

// Get AWS credentials using the identity pool
AmazonSecurityTokenServiceClient secureTokenService = new AmazonSecurityTokenServiceClient(RegionEndpoint.EUNorth1);
AssumeRoleWithWebIdentityResponse roleResponse = await secureTokenService.AssumeRoleWithWebIdentityAsync(new AssumeRoleWithWebIdentityRequest()
{
	ProviderId = "www.amazon.com",
	WebIdentityToken = tokenResponse?.AccessToken,
	RoleArn = "arn:aws:iam::<rand-number>:role/cognito-hello-world",
});

To summarize: I guess I'm kind of lost in the big environment AWS provides. Maybe you can give me a hint of clear my confusion about it.

Thanks in advance, Dictyosom

Topics
StorageSecurity, Identity, & Compliance.NET on AWSCompute
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon Cognito.NET on AWSWindows
Language
English
Dictyosom
asked 4 months ago460 views
1 Answer
0
Accepted Answer

Hey Dictyosom, there's a lot of services to get familiar with, especially around identity. Hopefully these links are helpful.

It sounds like you're looking to directly use your user pool access tokens, to access to AWS services via STS, and I think the step you're missing is the use of Cognito identity pools.

The typical flow would be to have users authenticate to your user pool, and then retrieve AWS credentials via an Identity Pool. You can find more details about that process in the developer guide here.

When you set the IAM role for a Cognito user pool group, a user in that group can use their access token to authenticate with an Amazon Cognito identity pool and they can receive credentials for the requested role.

AWS
Trevor Schiavone
answered 4 months ago
  • Dictyosom
    4 months ago

    Great, thanks! As I'm digging deeper in the AWS infrastructure everything starts to make sense right now.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content