2

My users login to my application through a microservice that connects to cognito (the request is proxied via API gateway)

They get a session token.

Once logged in, they need to put some files to S3.

I want to give them temporary credentials using STS but to call sts.AssumeRoleWithWebIdentity I need a web identity token.

How can I get a web identity token with a session token as input?

I wrote a temporary lambda (node) that returns STS credentials upon logging with a username and password:

const cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
const cognitoidentity = new AWS.CognitoIdentity();
cognitoidentityserviceprovider.initiateAuth(...) //AuthFlow: 'USER_PASSWORD_AUTH'
    cognitoidentity.getId(...)
        cognitoidentity.getCredentialsForIdentity(...)

There can be some time between the login and the file upload and I don't want the user to submit user/password each time. There's no AuthFlow accepting a session token either.

I'm guessing the API Gateway could return something useful but I didn't find anything in the docs: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference

gyc
  • 4,300
  • 5
  • 32
  • 54

1 Answers1

1

A few checks first:

  • let cognito authenticated user to "masquerade" under an iam role, to do that we use trust relationships, for quick you can reuse the iam role that get assigned to your cognito identity pool.
  • grant that iam role a policy to access to s3 bucket

Once done:

Run cognitoidentity.getCredentialsForIdentity(...) again, it will go through sts first, thus you don't have to call sts assume role api. If successful, the response should have AccessKeyId, SecretKey and SessionToken. These are expiry aws creds that have access to s3 and will be gone after an hour (unless set). Use them as normal session authentication.

creds = new SessionAWSCredentials(AccessKeyId, SecretKey, SessionToken);
s3Request = CreateAmazonS3Client(creds);
owlwalks
  • 1,541
  • 13
  • 16