By using AWS re:Post, you agree to the Terms of Use
/Amazon Cognito/

Questions tagged with Amazon Cognito

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I'd like to request to S3 as a cognito certification qualification.

I'd like to request to S3 as a cognito certification qualification. S3 is using sdk Cognito is using amplify. Use an angular typescript. I would like to replace the secret key with the cognito authentication information when creating S3. I want to access s3 with the user I received from Auth.signIn, but the credentials are missing. I need your help. ``` public signIn(user: IUser): Promise<any> { return Auth.signIn(user.email, user.password).then((user) => { AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', }); const userSession = Auth.userSession(user); const idToken = userSession['__zone_symbol__value']['idToken']['jwtToken']; AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', RoleArn: 'arn:aws:iam::111111111111:role/Cognito_role', Logins: { CognitoIdentityPool: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', idToken: idToken, }, })); const s3 = new AWS.S3({ apiVersion: '2012-10-17', region: 'ap-northeast-2', params: { Bucket: 'Bucketname', }, }); s3.config.credentials.sessionToken = user.signInUserSession['accessToken']['jwtToken']; s3.listObjects(function (err, data) { if (err) { return alert( 'There was an error: ' + err.message ); } else { console.log('***********s3List***********', data); } }); } ``` bucket policy ``` { "Version": "2012-10-17", "Id": "Policy", "Statement": [ { "Sid": "AllowIPmix", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::s3name/*", } ] } ``` cognito Role Policies - AmazonS3FullAccess ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", ], "Resource": "*" } ] } ```
0
answers
0
votes
5
views
asked 24 days ago

Access S3 files from Unity for mobile development

I'm trying to configure the AWS S3 service to download the included files in a bucket using Unity for mobile. I downloaded the SDK package and I got it installed. From AWS console I set up a IAM policy and roles for unauth users I created a Cognito IdentityPool and got the relative id I set up the S3 bucket and its policy using the generator, including the **arn:aws:iam::{id}:role/{cognito unauth role}** and the resource **arn:aws:s3:::{bucket name}/***. In code I set credentials and region and create CognitoAWSCredentials (C# used) ```C# _credentials = new CognitoAWSCredentials(IdentityPoolId, _CognitoIdentityRegion); ``` then I create the client: ```C# _s3Client = new AmazonS3Client(_credentials, RegionEndpoint.EUCentral1); // the region is the same in _CognitoIdentityRegion ``` I then try to use the s3Client to get my files (in bucketname subfolders) ``` private void GetAWSObject(string S3BucketName, string folder, string sampleFileName, IAmazonS3 s3Client) { string message = string.Format("fetching {0} from bucket {1}", sampleFileName, S3BucketName); Debug.LogWarning(message); s3Client.GetObjectAsync(S3BucketName, folder + "/" + sampleFileName, (responseObj) => { var response = responseObj.Response; if (response.ResponseStream != null) { string path = Application.persistentDataPath + "/" + folder + "/" + sampleFileName; Debug.LogWarning("\nDownload path AWS: " + path); using (var fs = System.IO.File.Create(path)) { byte[] buffer = new byte[81920]; int count; while ((count = response.ResponseStream.Read(buffer, 0, buffer.Length)) != 0) fs.Write(buffer, 0, count); fs.Flush(); } } else { Debug.LogWarning("-----> response.ResponseStream is null"); } }); } ``` At this point I cannot debug into the Async method, I don't get any kind of error, I don't get any file downloaded and I even cannot check is connection to AWS S3 has worked in some part of the script. What am I doing wrong? Thanks for help a lot!
0
answers
0
votes
3
views
asked 2 months ago

How to dynamically update the policy of user(Cognito identity) from backend/lambda?

I am building an IoT solution using the IoT Core. The end-user will be using Mobile App and will be authenticated and authorized using Cognito. I want to authorize users to allow iot:Publish and iot:Subscribe action only on the devices that the user owns. The IAM Role attached to the Cognito Identity pool has only iot:Connect permission when the user is created. The User won't have any additional permission at this point. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}" } ] } ``` Now, when the user finishes the device provisioning, I want to attach the inline Policy to Cognito identity of that user to authorize him to publish and subscribe to the shadow of that device. Let's assume the ThingName is Thing1 so the policy should be as below: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}" }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Subscribe" ], "Resource": "arn:aws:iot:region:account-id:topic/$aws/things/Thing1/shadow/*" } ] } ``` The user may keep adding new devices and I want to scale this policy to include resource ARNs of those devices. This is an example of IoT Core, but my question is very generic to IAM policies. (e.g. the same can be applied to dynamically allow access to the S3 bucket folders) So, here is my question: 1. What is the best approach for dynamically adding or removing the inline policy granted to the Cognito identity? 2. Can I use the STS service for updating/attaching the policy on my backend/Lambda when new Things are added or removed? Note: 1. I can use the Customer Managed Policy, but it is not the right approach for granting policies to federated users as per my knowledge. 2. I know I can use the intelligent naming of the device as mentioned in this approach. But, I have a very basic requirement. https://aws.amazon.com/blogs/iot/scaling-authorization-policies-with-aws-iot-core/
0
answers
0
votes
8
views
asked 3 months ago

integrate AWS Cognito with Google Workspace using SAML integration

I have some applications served to my company users on EKS (i.e., Jenkins). In company we use Google Workspaces (GSuite) for email and stuff. So I want to allow users to login with Google creds to those applications I serve. I figured out I could use Cognito to achieve it but I cannot connect those and flow end with Google showing **403. Error: app_not_configured_for_user"**. In their [documentation](https://support.google.com/a/answer/6301076?hl=en) I can find: > Verify that the value in the saml:Issuer tag in the SAMLRequest matches the Entity ID value configured in the SAML Service Provider Details section in the Admin console. This value is case-sensitive. but how do I debug it? I do not see a logs from both AWS and Google sides :/ I [think](https://aws.amazon.com/premiumsupport/knowledge-center/cognito-third-party-saml-idp/) I [followed](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html) all [possible](https://alsmola.medium.com/alb-authentication-with-g-suite-saml-using-cognito-858e35564dc8) guides and I cannot find what I'm doing wrong. I found that Google has [this page](https://support.google.com/a/table/9217027?p=saml_apps&hl=en-GB&visit_id=637824413400944075-2779246935&rd=1) but they do not provide exact scenario for AWS Cognito. Anyways all of those are very similar so I guess I shouldn't have problems, but I do have. What I did: - In Google Admin (one for workspaces) I created "Web and mobile app" of SAML type - I downloaded metadata file - In AWS Cognito console I created User Pool - I created IdP provider and uploaded metadata file there - I created application client - Using those values I filled fields **ACS URL** and **Entity ID** in Google Admin using values: - ACS URL: `https://my-domain-i-just-created.auth.us-east-1.amazoncognito.com/saml2/idpresponse` - Entity ID: `urn:amazon:cognito:sp:us-east-1_myPoolId` - I also selected **Name ID format** to be Persisted - In attribute mapping I mapped email value to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`. - In AWS Cognito I enabled HostedUI and also created mapping of `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` to email field. And now when I click *View Hosted UI* in AWS console it will redirect me to Google authentication and after it directly to before mentioned **403 app_not_configured_for_user** page. I tied it 3 times with slightly different configurations of mapping, signed responses, etc. but nothing gets me past that error. Anyone tried to integrate it?
0
answers
0
votes
5
views
asked 3 months ago

AWS IoT test-authorization missing context values

Hello, This is tangentially related to my question here [Permissions for IoT Things and Cognito User/Identity Pools](https://repost.aws/questions/QUkhT9MqeVR-mysdzKc2YQcA#AN8JHCJ_V2RTq8t38UGEK_IQ). I am trying to understand why my IoT Core Policy isn't working as expected using `aws iot test-authorization`, but am getting this error: `"missingContextValues": ["cognito-identity.amazonaws.com:sub" ]`. Setup * I have cognito user ABC, with associated Identity ID `us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb`. This identity has the IoT Core Policy `test-policy` (defined below) attached to it. The identity pool ID is `us-east-1:xxxxxxx-xxxx-xxxx-xxxx-fe1a9f14f96b`. * IAM policy for the Identity Pool allows full access to `iot:*` * IoT Thing named TestThing w/the `test-policy` (defined below) attached to it. * IoT Core Policy (named `test-policy`): ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:Connect", "Resource": "*" }, { "Effect": "Allow", "Action": "iot:Publish", "Resource": "*", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:sub": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb" } } } ] } ``` I am running this test: ``` aws iot test-authorization --principal us-east-1:xxxxxx-xxxx-xxxx-xxxx-5f7a793d20cb --cognito-identity-pool-id us-east-1:xxxxxxx-xxxx-xxxx-xxxx-fe1a9f14f96b --auth-infos actionType=CONNECT,resources=arn:aws:iot:us-east-1:xxxxxxxxxxxxxxxx:client/ABC ``` However, I am getting this response: ``` { "authResults": [ { "authInfo": { "actionType": "CONNECT", "resources": [ "arn:aws:iot:us-east-1:xxxxxxxxxxxxx:client/ABC" ] }, "allowed": { "policies": [] }, "denied": { "implicitDeny": { "policies": [ { "policyName": "test-policy", "policyArn": "arn:aws:iot:us-east-1:xxxxxxxxxxxxx:policy/test-policy" } ] }, "explicitDeny": { "policies": [] } }, "authDecision": "IMPLICIT_DENY", "missingContextValues": [ "cognito-identity.amazonaws.com:sub" ] } ] } ``` I would expect this to pass, since the CONNECT action is allowed for everyone. My best guess is that the policy can't properly be evaluated because of the missingContextValues issue, so it returns a deny. When I test this with my Python script that logs the user in, retrieves credentials and connects to the MQTT server just fine. Is there a way to provide this context value in the `test-authorization` call? Thank you!
0
answers
0
votes
4
views
asked 3 months ago
  • 1
  • 90 / page