AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity

javascript amazon-web-services aws-sdk amazon-cognito
21,248

Solution 1

Seems like you are using the Id token vended by Cognito user pools to call the assumeRoleWithWebIdentity.

You need to federate this token with Cognito identity first and you can use the Open Id connect token vended by Cognito identity to call assumeRoleWithWebIdentity. You can directly call getCredentialsForIdentity as well using Enhanced flow.

See this to learn more about how to federate user pools token with Cognito identity.

Solution 2

Came across the same issue,

  • Create a user pool to serve as a user directory.
  • Register a user (User 1) in the user pool.
  • Create an identity pool and configure it to integrate with the user pool.
  • Create an IAM role that with the required permission. When creating the user use AssumeRoleWithWebIdentity option and add the identity pool ID in the wizard.
  • Create a group in the user pool and map the role we created and add some users to this group.
  • Now after authenticating the user via cognito configure the aws sdk with the jwt token.

AWS.config.region = "<YOUR_REGION>";

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId : '<YOUR_IDENTITY_POOL_ID>', 
        Logins : {
          // Change the key below according to the specific region your user pool is in.
          `cognito-idp.${AWS.config.region}.amazonaws.com/${data.UserPoolId}` : session.getIdToken().getJwtToken()
        }
      });

Reference Article - https://aws.amazon.com/blogs/developer/authentication-with-amazon-cognito-in-the-browser/

Share:
21,248

Related videos on Youtube

Dhiogo Corrêa
Author by

Dhiogo Corrêa

Whatup?

Updated on April 04, 2020

Comments

  • Dhiogo Corrêa
    Dhiogo Corrêa about 4 years

    I've looked around similar problems, but couldn't resolve my problem. I'm developing an web application where the user will authenticate using AWS Cognito's authentication. The sign up part is ok, but when I try to sign in, I'm getting the "not authorized" exception. I've already tried to attach custom policies to my IAM Role (authorizing sts:AssumeRoleWithWebIdentity), but didn't work.. Here is how the code is written right now:

            var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) {
        var sts = new AWS.STS({apiVersion: '2011-06-15'});

        var params = {
            RoleArn: 'arn:aws:iam::981601120657:role/Cognito_AliceAuth_Role', /* required */
            RoleSessionName: 'AliceUserSession', 
            WebIdentityToken: result.getIdToken().getJwtToken(), 
            Policy: '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRoleWithWebIdentity", "Resource": "*" } ] }'
        };

        sts.assumeRoleWithWebIdentity(params, function (err, data) {
            if (err)
                console.log(err, err.stack); // ** <-- ERROR HERE
            else
                console.log(data);           // successful response
        });

        //document.getElementById('authForm').submit();
    },
    onFailure: function (err) {
        alert(err);
    }

});

    As you can see, I specified the policy in the code too, but I still get the "AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity" error. Please help me :/

    EDIT:

    Inside the "Cognito_AliceAuth_Role" I've created the role policies: AssumeRoleWithWebIdentityPolicy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Resource": "*"
        }
    ]
}

    and: GetFederationTokenPolicy

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:GetFederationToken",
            "Resource": "*"
        }
    ]
}

    The trust relationship:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:e4c1833d-a62b-402a-b995-1b2513b04c02"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}
    • Tom Nijs
      Tom Nijs almost 8 years
      How did attaching the policy to allow your IAM user to use sts:AssumeRoleWithWebIdentity not work?
    • Dhiogo Corrêa
      Dhiogo Corrêa almost 8 years
      I really don't know... :( I've updated the question adding more info
    • Tom Nijs
      Tom Nijs almost 8 years
      When you try to authenticate using temporary credentials, what information do you provide?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AWS : Invalid identity pool configuration. Check assigned IAM roles for this pool
How to use the code returned from Cognito to get AWS credentials?
AWS Cognito + google signup
How to confirm user in Cognito User Pools without verifying email or phone?
AWS Cognito Identity NotAuthorizedException
How to query items from AWS S3 by date created
Uncaught reference error: AWS not defined
How to support transactions in dynamoDB with javascript aws-sdk?
AWS Cognito Mock
How to check Email Already exists in AWS Cognito?