I have a simple use case to authenticate a user using AWS Cognito and the assume a role to be able to do something useful (read from S3 in my case). Apparently I am missing something very obvious.
I am using pure web http client with cognito authentication (so Cognito can federate other identity providers) and the backend receive only the id_token.
I could get session credentials using getCredentialsForIdentity, apparently this credentials have assigned permissions from the role defined by the Cognito identity pool (in my case Cognito_demoidpoolAuth_Role)
My idea was creating another role which the federated web identity could assume.
So I created a new role for Web Identity, the role to access the data has Trust Relationship with following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-central-1:500a5721-abca-xxxx-xxxx-c15625a7xxxx"
}
}
}
]
}
Following code should assume the role needed to read from the bucket
WebIdentityFederationSessionCredentialsProvider credProvider = new WebIdentityFederationSessionCredentialsProvider(
idToken,
null,
"arn:aws:iam::535544306598:role/docmgr-test-role" );
under the hood this object calls assumeRoleWithWebIdentity and I get following exception:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
Not authorized to perform sts:AssumeRoleWithWebIdentity (Service: AWSSecurityTokenService;
Status Code: 403; Error Code: AccessDenied; Request ID: 059e56ee-25c8-11e8-8852-f7ca4d49742b)
Calling directly STS assumeRoleWithWebIdentity with the id_token ends with the same result, so apparently I have set wrong policy or trying to do things wrong way.
