使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Cannot get developer authenticated identities to work

0

We have setup an Identity Pool with our own Custom provider. On our backend (node sdk v2), we are calling .getOpenIdTokenForDeveloperIdentity() and we are successfully getting back OpenID tokens for our users.

But then, both with iOS SDK (using AWSCore from Mobile SDK) and with a JS Client, we are receiving this error when calling .getCredentialsForIdentity():

Invalid identity pool configuration. Check assigned IAM roles for this pool

Here is the code:

await Cognito.getCredentialsForIdentity({
      IdentityId: identity,  // received from our backend
      Logins: {
        'cognito-identity.amazonaws.com': openIdToken, // received from our backend
      },
    }).promise();

Role assumed by authenticated users has this Trust Relationship set:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<Identity Pool ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

And the OpenID Token generated with the .getOpenIdTokenForDeveloperIdentity() API looks like this:

{
  "sub": "<User Identity ID>",
  "aud": "<Identity Pool ID>",
  "amr": [
    "authenticated",
    "<our custom Provider Name, e.g. example.com>",
    "<Custom Provider Name>:<Region>:<Identity Pool ID>:<User ID of our backend>"
  ],
  "https://aws.amazon.com/tags": {
    "principal_tags": {
      "userType": ["client"]
    }
  },
  "iss": "https://cognito-identity.amazonaws.com",
  "https://cognito-identity.amazonaws.com/identity-pool-arn": "<Identity Pool ARN>",
  "exp": 1615736591,
  "iat": 1615650191
}

We can't figure out what we are doing wrong. We believe to have done all steps as they are documented...

主题
安全、身份和合规性
标签
Amazon Cognito
语言
English
vacum
已提问 3 年前663 查看次数
3 回答
0

After almost a day.... the problem turned out to be "PrincipalTags".

const cognitoResponse = await Cognito.getOpenIdTokenForDeveloperIdentity({
    IdentityPoolId: '<Identity Pool ID>',
    IdentityId: '<Identity ID>',
    Logins: {
      '<provider name>': userId,
    },
    PrincipalTags: { // THIS IS THE ISSUE
      'userType': 'client',
    },
    TokenDuration: 86400,
  }).promise();

I don't know why, but I got it working by removing it ...

vacum
已回答 3 年前
  • mpaul
    9 个月前

    Ran into the same issue.

    After some playing around, I found that I could provide standard tag values (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html), but providing custom tags results in the same error you received. I believe you'd need to update your trust policy to allow both "sts:AssumeRoleWithWebIdentity" and "sts:TagSession".

    If anyone figures out how to add custom attributes, please let me know. Tried it multiple ways, and every time received the same error

  • mpaul
    8 个月前

    Hmm.. I just tried it today and custom tags worked just fine. I do have "sts:TagSession" in my Trusted entities, but I also had that the last time I attempted this when it didn't work. The only thing I can think of that might be different between then and now is either that something was being cached in my session, or AWS made a fix on their end to support it.

0

I also faced the same issue. It seems that sts:TagSession must be allowed to getCredentialsForIdentity. There are details in the document below.

https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/id_session-tags.html

arstkn
已回答 1 年前
0

You have to modify trust relationships for the IAM role that linked to Identity pools

  1. Access to roles
  2. Search & open for the role that linked to your Identity pools
  3. Click on "trust relationships" tab
  4. Add the new action sts:TagSession
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession" <---- this one
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/using-attributes-for-access-control-policy-example.html

ERashdan
已回答 3 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容