1

in my Android App I want to create temp credentials for AWS, so that I don't have to store my secret AWS credentials in my app. I use this code to create the credentials:

CognitoCachingCredentialsProvider cognitoProvider = new CognitoCachingCredentialsProvider(
                getApplicationContext(), // get the context for the current activity
                "XXXXXXXXXX",
                "us-east-1:XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
                "arn:aws:iam::XXXXXXXXXXX:role/myUnauthRole",
                "arn:aws:iam::XXXXXXXXXXX:role:role/myAuthRole",
                Regions.US_EAST_1
        );
AWSCredentials awsCredentials = new BasicAWSCredentials(cognitoProvider.getCredentials().getAWSAccessKeyId(), cognitoProvider.getCredentials().getAWSSecretKey());

When I try it like this, I get an error in the last line of my code with the error "Not authorized to perform sts:AssumeRoleWithWeb Identity". I think there is a problem with the policy that I use for myUnauthRole and myAuthRole. It looks like this:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:GetFederationToken",
    "Resource": "*"
  }]
}

Is there anything else I have to do within the policy? I was snot able to find a working example for my use case on the internet. Would be great to get some support here.

Thanks!

Bob Kinney
  • 8,870
  • 1
  • 27
  • 35
JensJensen
  • 1,017
  • 1
  • 12
  • 25
  • You should double check that your roles are correctly configured. This [blog post](http://mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication) should help you understand Amazon Cognito Authentication. – Yosuke Sep 24 '14 at 21:10

2 Answers2

0

From the error it looks like you have your access policy set up, but not your trust policy. Taken from the Amazon documentation here:

In order to allow the mobile app to access resources, you must create one or more IAM roles that the app can assume. As with any role, a role for the mobile app contains two policies. One is the trust policy that specifies who can assume the role (the trusted entity, or principal). The other policy (the access policy) specifies the actual AWS actions and resources that the mobile app is allowed or denied access to, and is similar to user or resource policies.

The trust policy must grant an Allow effect for the sts:AssumeRoleWithWebIdentity action.

The link to the documentation has steps to set up the appropriate roles in the Cognito Console.

Community
  • 1
  • 1
EFeit
  • 2,082
  • 16
  • 29
  • Unfortunately the examples are not helpful for me. I don't want to gin with Amazon, Facebook or Google. My trust policy looks like this, I really don't know whats wrong with it: – JensJensen Sep 24 '14 at 06:45
  • { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxx" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] } – JensJensen Sep 24 '14 at 06:50
0

As is noted in other answers, the problem is with your trust relationships, not with your access policy. Some things to check in your trust relationships:

  • Does the identity pool id you are using match what is listed in the trust relationships?
  • Make sure you instantiating the credentials provider with the unauth role and auth role in the correct order.

If you use the Cognito Console the roles created for you should have their trust relationships set correctly for that identity pool. If you'd like to learn more about Cognito Authentication you can read about it on our blog.

Some additional things I'd like to note:

  • The CognitoCachingCredentialsProvider will cache ids even if you change identity pools, you can call clear to ensure you are not using a cached id from an older pool.
  • You do not need to extract the portions of the credentials from the provider, you can simply pass the credentials provider directly to your service clients' constructor.
Bob Kinney
  • 8,870
  • 1
  • 27
  • 35