问题
I'm getting Invalid access key error using credentials redeemed from an amazon open id token from cognito
Here's what I'm doing
Get developer authenticated open id token
cognito.getOpenIdTokenForDeveloperIdentity(params, function (err, data) {
openIdToken = data.credentials });
Redeem open id token for security credentials, I set the params to the congnito Auth role and set an arbitrary role session name. I use the token from step 1. There is no place where I set the identity id from step 1.
it('should be able to exchange temporary open id token for auth credentials', function (done) { var sts = new AWS.STS(); var params = { RoleArn: roleArn, RoleSessionName: 'photo-upload-session', WebIdentityToken: openIdToken.Token }; sts.assumeRoleWithWebIdentity(params, function(err, data) { should.not.exist(err); should.exist(data.Credentials.AccessKeyId); should.exist(data.Credentials.SecretAccessKey); should.exist(data.Credentials.SessionToken); credentials = data.Credentials; done(); }); });I update the current credentials
AWS.config.update({accessKeyId : credentials.AccessKeyId, secretAccessKey:credentials.SecretAccessKey});I upload a file to s3 and get the
[InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.]error
*edit using Bob Kinney's advice I tried two methods - setting the sessionToken (which worked) and using the Congito credentials which gave a TypeError not a buffer error. The CognitoIdentityCredentials example is below.
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId:config.get('aws_identity_pool_id'),
Logins: {
'cognito-identity.amazonaws.com': openIdToken.Token
}
});
var body = fs.createReadStream(__dirname + '/test_photo.jpg');
var s3obj = new AWS.S3({params: {Bucket: 'test-uploads', Key: 'test'}});
s3obj.upload({Body: body}).
on('httpUploadProgress', function(evt) { console.log(evt); }).
send(function(err, data) {
should.not.exist(err);
done();
});
** update
So moving back to the java client error, we are using the openid token (which was tested to be working correctly with the sts.assumeRoleWithWebIdentity) and passing that token into an extension of AWSAbstractCognitoIdentityProvider (code taken from this link http://docs.aws.amazon.com/cognito/devguide/identity/developer-authenticated-identities/) - then using that identity to upload to s3 getting the error
CustomAwsIdentityProvider provider = CustomAwsIdentityProvider.newInstance(this, BuildConfig.AWS_COGNITO_POOL_ID, Regions.US_EAST_1);
CognitoCachingCredentialsProvider credentialsProvider = new CognitoCachingCredentialsProvider(this, provider, Regions.US_EAST_1);
TransferManager tm = new TransferManager(credentialsProvider);
tm.upload("my-upload", uuid.toString(), file);
回答1:
Sorry for the issues. It appears you are using the JavaScript SDK. When using this flow you can use the standard AWS.CognitoIdentityCredentials object as mentioned in the developer guide using the key of cognito-identity.amazonaws.com and the value as the OpenId Connect token returned from the getOpenIdTokenForDeveloperIdentity call.
The reason for the error you are seeing is that you are not including the sessionToken from the STS result. Using the AWS.CognitoIdentityCredentials object should resolve this for you.
Update 2015-07-21: There is a small issue in the SDK that will unfortunately prevent AWS.CognitoIdentityCredentials from working as I described it. We are working on mitigating this issue.
Update 2015-07-24: You should be able to use the following to use the AWS.CognitoIdentityCredentials with your developer authenticated identiity:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'MY_IDENTITY_POOL',
IdentityId: data.IdentityId,
Logins: {
'cognito-identity.amazonaws.com': data.Token
}
});
Where data is the response from GetOpenIdTokenForDeveloperIdentity.
来源:https://stackoverflow.com/questions/31521491/invalid-access-key-error-using-credentials-redeemed-from-an-amazon-open-id-token