4

i can't get the Credentials for my CognitoIdentity. When the User is successfully authenticated, he needs to get a Identity to access other AWS Services. In my case thats AWS IoT. But for somehow, i can't get any credentials.

This is the Error Message:

Error retrieving credentials: NotAuthorizedException: Access to Identity 'eu-central-1:XXXXXXXXXX' is forbidden.

My Code is almost exactly like the Tutorial on Github:

 var cognitoUser = new AWSCognito.CognitoUser(userData);
  cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) {
      console.log("Logged in");
      console.log('access token + ' + result.getAccessToken().getJwtToken());
      //    window.location.href = "index.html";
      AWS.config.region = AWSConfiguration.region;

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: AWSConfiguration.IdPoolId,
        Logins : {
          'cognito-idp.eu-central-1.amazonaws.com/eu-central-1_XXXX' : result.getIdToken().getJwtToken()
        }
      });
      var cognitoIdentity = new AWS.CognitoIdentity();
      AWS.config.credentials.get(function(err, data) {
        if (!err) {
          console.log('retrieved identity: ' + AWS.config.credentials.identityId);
          var params = {
            IdentityId: AWS.config.credentials.identityId
          };
          cognitoIdentity.getCredentialsForIdentity(params, function(err, data) {
            if (!err) {
              thingShadows.updateWebSocketCredentials(data.credentials.AccessKeyId,
                                                 data.credentials.SecretKey,
                                                 data.credentials.SessionToken);
            }
            else {
              console.log('error retrieving credentials: ' + err);
            }
          });
        }
        else {
          console.log('error retrieving identity:' + err);
        }
      });
    }
  });

Please note that i skipped not related code. authenticated users have full access to all AWS services i'm using.

David
  • 1,084
  • 12
  • 36

1 Answers1

2

I don't think you need to call cognitoIdentity.getCredentialsForIdentity(). Your IAM keys should be put into the AWS.config.credentials object when you call AWS.config.credentials.get(). You can access them directly in the callback you provide when you call it.

In other words, when you're logging out the retrieved identity: to the console, the credentials object should already have your secret key, access key id, and session token in it.

All of this (give or take a curly brace):

 var params = {
    IdentityId: AWS.config.credentials.identityId
  };
  cognitoIdentity.getCredentialsForIdentity(params, function(err, data) {
    if (!err) {
      thingShadows.updateWebSocketCredentials(data.credentials.AccessKeyId,
                                         data.credentials.SecretKey,
                                         data.credentials.SessionToken);
    }
    else {
      console.log('error retrieving credentials: ' + err);
    }
  });

Can probably be replaced with something like this:

thingShadows.updateWebSocketCredentials(AWS.config.credentials.accessKeyId,
                                        AWS.config.credentials.secretKey,
                                        AWS.config.credentials.sessionToken);

If you pass in a Logins map with the user pool id and access token in it, the getCredentialsForIdentity() call might succeed; I didn't test it. I haven't yet run into a use case where I needed to use this particular API, and I suspect you don't need it either.

Source: I work on a 100% javascript application that uses both authenticated and unauthenticated Cognito identities. We don't call getCredentialsForIdentity() anywhere, and trying to insert it produced the same error you're getting.

Mike Patrick
  • 10,699
  • 1
  • 32
  • 54