问题
With AWS-Cognito-Identity-Js I obtain a session ID token session.getIdToken().getJwtToken() for a authenticated Cognito User.
I pass this token to my AWSInitialize function and update the AWS Credentials:
var AWSInitialize = function(token){
Logins = {};
Logins['cognito-idp.' + AWSCognito.config.region + '.amazonaws.com/' + poolData.UserPoolId] = token;
AWS.config.update({
region: AWSCognito.config.region,
credentials: new AWS.CognitoIdentityCredentials({
IdentityPoolId : identityPoolId,
region: AWSCognito.config.region,
Logins : Logins
})
});
};
This works correctly because now for example I can execute a Lambda-Function on behalf of an authenticated Cognito User.
var lambda = new AWS.Lambda({});
lambda.invoke({FunctionName: 'createToken'}, function(err, data) ...
This is possible because in the Cognito_myAppAuth_Role I attached a Policy that allows me to Execute this Lambda-Function:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471300653000",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:eu-west-1:593845191076:function:createToken"
]
}
]
}
Now what I am trying to do Is to get Tokens with STS for the same users
For that I attached another policy to Cognito_myAppAuth_Role. It should allow the Cognito Users to call assumeRoleWithWebIdentity:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1472560044000",
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
"*"
]
}
]
}
But when I run this code:
var sts = new AWS.STS({});
var params = {
RoleArn: 'arn:aws:iam::593845191076:role/Cognito_myAppAuth_Role', /* required */
RoleSessionName: "UserName", /* required */
WebIdentityToken: token, /* required */
};
sts.assumeRoleWithWebIdentity(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
I get the following error:
AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
I do not understand why the user is not authorized to perform sts:AssumeRoleWithWebIdentity. To the authenticated Role I attached a STS policy and the Lambda-Policy was also working for the User
Where could be the problem? How can I solve this issue?
Thanks a lot!
回答1:
I suspect the reason for this failure is that you are trying to use the Cognito Your User Pool token directly with STS. While I no longer work directly on Cognito, I do not believe this will work.
You should try one of the following:
- (recommended) Use the Cognito federated identity calls
GetIdandGetCredentialsForIdentityto get your temporary credentials. This is what your first block of code is doing under the hood. - Use the Cognito federated identity calls
GetIdandGetOpenIdToken, then use that token in yourAssumeRoleForWebIdentitycall.
Hope this helps.
来源:https://stackoverflow.com/questions/39227946/not-authorized-to-perform-assumerolewithwebidentity-with-cognito-user