使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Cannot get developer authenticated identities to work

0

We have setup an Identity Pool with our own Custom provider. On our backend (node sdk v2), we are calling .getOpenIdTokenForDeveloperIdentity() and we are successfully getting back OpenID tokens for our users.

But then, both with iOS SDK (using AWSCore from Mobile SDK) and with a JS Client, we are receiving this error when calling .getCredentialsForIdentity():

Invalid identity pool configuration. Check assigned IAM roles for this pool

Here is the code:

await Cognito.getCredentialsForIdentity({
      IdentityId: identity,  // received from our backend
      Logins: {
        'cognito-identity.amazonaws.com': openIdToken, // received from our backend
      },
    }).promise();

Role assumed by authenticated users has this Trust Relationship set:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<Identity Pool ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

And the OpenID Token generated with the .getOpenIdTokenForDeveloperIdentity() API looks like this:

{
  "sub": "<User Identity ID>",
  "aud": "<Identity Pool ID>",
  "amr": [
    "authenticated",
    "<our custom Provider Name, e.g. example.com>",
    "<Custom Provider Name>:<Region>:<Identity Pool ID>:<User ID of our backend>"
  ],
  "https://aws.amazon.com/tags": {
    "principal_tags": {
      "userType": ["client"]
    }
  },
  "iss": "https://cognito-identity.amazonaws.com",
  "https://cognito-identity.amazonaws.com/identity-pool-arn": "<Identity Pool ARN>",
  "exp": 1615736591,
  "iat": 1615650191
}

We can't figure out what we are doing wrong. We believe to have done all steps as they are documented...

主題
安全性、身分識別與合規
標籤
Amazon Cognito
語言
English
vacum
已提問 3 年前檢視次數 664 次
3 個答案
0

After almost a day.... the problem turned out to be "PrincipalTags".

const cognitoResponse = await Cognito.getOpenIdTokenForDeveloperIdentity({
    IdentityPoolId: '<Identity Pool ID>',
    IdentityId: '<Identity ID>',
    Logins: {
      '<provider name>': userId,
    },
    PrincipalTags: { // THIS IS THE ISSUE
      'userType': 'client',
    },
    TokenDuration: 86400,
  }).promise();

I don't know why, but I got it working by removing it ...

vacum
已回答 3 年前
  • mpaul
    9 個月前

    Ran into the same issue.

    After some playing around, I found that I could provide standard tag values (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html), but providing custom tags results in the same error you received. I believe you'd need to update your trust policy to allow both "sts:AssumeRoleWithWebIdentity" and "sts:TagSession".

    If anyone figures out how to add custom attributes, please let me know. Tried it multiple ways, and every time received the same error

  • mpaul
    8 個月前

    Hmm.. I just tried it today and custom tags worked just fine. I do have "sts:TagSession" in my Trusted entities, but I also had that the last time I attempted this when it didn't work. The only thing I can think of that might be different between then and now is either that something was being cached in my session, or AWS made a fix on their end to support it.

0

I also faced the same issue. It seems that sts:TagSession must be allowed to getCredentialsForIdentity. There are details in the document below.

https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/id_session-tags.html

arstkn
已回答 1 年前
0

You have to modify trust relationships for the IAM role that linked to Identity pools

  1. Access to roles
  2. Search & open for the role that linked to your Identity pools
  3. Click on "trust relationships" tab
  4. Add the new action sts:TagSession
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession" <---- this one
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/using-attributes-for-access-control-policy-example.html

ERashdan
已回答 3 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容