All geek questions in one place

It is not allowed to execute AssumeRoleWithWebIdentity with a Cognito user

With AWS-Cognito-Identity-Js I get the session identifier token session.getIdToken().getJwtToken() for an authenticated Cognito user.

I pass this token my AWSInitialize function and update my AWS credentials:

 var AWSInitialize = function(token){ Logins = {}; Logins['cognito-idp.' + AWSCognito.config.region + '.amazonaws.com/' + poolData.UserPoolId] = token; AWS.config.update({ region: AWSCognito.config.region, credentials: new AWS.CognitoIdentityCredentials({ IdentityPoolId : identityPoolId, region: AWSCognito.config.region, Logins : Logins }) }); };

This works correctly, because now, for example, I can execute the Lambda function on behalf of an authenticated Cognito user.

  var lambda = new AWS.Lambda({}); lambda.invoke({FunctionName: 'createToken'}, function(err, data) ...

This is possible because in Cognito_myAppAuth_Role I have bound a policy that allows me to execute this Lambda function:

 { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1471300653000", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:eu-west-1:593845191076:function:createToken" ] } ] }

Now what I'm trying to do is get tokens with STS for the same users

For this, I applied a different policy to Cognito_myAppAuth_Role . This should allow Cognito users to call assumeRoleWithWebIdentity :

  { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1472560044000", "Effect": "Allow", "Action": [ "sts:*" ], "Resource": [ "*" ] } ] }

But when I run this code:

 var sts = new AWS.STS({}); var params = { RoleArn: 'arn:aws:iam::593845191076:role/Cognito_myAppAuth_Role', /* required */ RoleSessionName: "UserName", /* required */ WebIdentityToken: token, /* required */ }; sts.assumeRoleWithWebIdentity(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else console.log(data); // successful response });

I get the following error:

  AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity

I do not understand why the user is not allowed to execute sts: AssumeRoleWithWebIdentity. I applied the STS policy to the authenticated role, and Lambda-Policy also worked for the user

Where could the problem be? How can I solve this problem?

Thanks a lot!

0
source share
1 answer

I suspect the reason for this failure is that you are trying to use the Cognito Your User Pool token directly from STS. Although I no longer work directly with Cognito, I do not believe that this will work.

You should try one of the following:

  • ( recommended ). Use your Cognito GetId and GetCredentialsForIdentity call IDs to get your temporary credentials. This is what your first block of code does under the hood.
  • Use the tagged Cognito GetId and GetOpenIdToken call identifiers, and then use this token in your AssumeRoleForWebIdentity call.

Hope this helps.

+3
source

Source: https://habr.com/ru/post/973825/

More articles:


All Articles