Not allowed to execute sts: AssumeRoleWithWebIdentity AWS s3 Cognito auth error

I have a simple iOS app that loads on s3. I'm trying to get everything around, although ideally I want to make Facebook.

2 IAM roles (created using the wizard). IAM Authentication Policy (for unauth role):

{ "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::[mybucketname]/*" } ] } 

My constants.h file (cleaned up):

 #define AWSID @"[12 digit num]" #define PoolID @"us-east-1:[long id number]" #define CRUnauth @"arn:aws:iam::[id num]:role/Cognito_Auth_DefaultRole" #define CRAuth @"arn:aws:iam::[id num]:role/Cognito_auth_DefaultRole" 

My appDelegate.m file has the following:

 credentialsProvider = [AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1 accountId:AWSID identityPoolId:PoolID unauthRoleArn:CRUnauth authRoleArn:nil]; AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1 credentialsProvider:credentialsProvider]; [AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration; 

I made the credentialsProvider property, since I need to add a Facebook login at some point.

I just upload a package image to check this out. In my opinion the controller:

  if([app.fb_token length] > 0){ app.credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyFacebook): app.fb_token }; } AWSS3TransferManager *transferManager = [AWSS3TransferManager defaultS3TransferManager]; UIImage *image = [UIImage imageNamed:@"yayDot"]; NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); NSString *documentsDirectory = [paths objectAtIndex:0]; NSString* path = [documentsDirectory stringByAppendingPathComponent: @"yayDot.png" ]; NSData* data = UIImagePNGRepresentation(image); [data writeToFile:path atomically:YES]; AWSS3TransferManagerUploadRequest *uploadRequest = [AWSS3TransferManagerUploadRequest new]; uploadRequest.body = [NSURL URLWithString:path]; uploadRequest.key = @"yayDot.png"; uploadRequest.bucket = thebucket; [AWSLogger defaultLogger].logLevel = AWSLogLevelVerbose; [[transferManager upload:uploadRequest] continueWithBlock:^id(BFTask *task) { // Do something with the response NSLog(@"result: %@", task.result); return nil; }]; 

Full error:

 AWSURLResponseSerialization.m line:258 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{ "Content-Length" = 299; "Content-Type" = "text/xml"; Date = "Tue, 27 Jan 2015 18:54:17 GMT"; "x-amzn-RequestId" = "xxxxx"; }] 2015-01-27 10:54:18.052 AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:263 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <Error> <Type>Sender</Type> <Code>AccessDenied</Code> <Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message> </Error> <RequestId>xxxxx</RequestId> </ErrorResponse> ] 2015-01-27 10:54:18.059 lookyloo[20024:332664] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:587 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke356 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSSTSErrorDomain Code=0 "The operation couldn't be completed. (com.amazonaws.AWSSTSErrorDomain error 0.)" UserInfo=0x7d936310 {Type=Sender, Message=Not authorized to perform sts:AssumeRoleWithWebIdentity, __text=( "\n ", "\n ", "\n ", "\n " ), Code=AccessDenied}]