Can someone please assist in pointing out what the issue might be when I try to access AWS apigateway resources using AWS Amplify Javascript SDK.
When a user logs into the platform (a portal I'm building)- the role assumed by the AuthRole is able to load the API catalogue as per the permissions to allow read access for all apigateway resources. Here is how the policy looks like:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"appsync:*",
"apigateway:GET",
"apigateway:POST",
"apigateway:DELETE",
"apigateway:PATCH",
"apigateway:PUT",
"cloudformation:CreateStack",
"cloudformation:CreateStackSet",
"cloudformation:DeleteStack",
"cloudformation:DeleteStackSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:UpdateStackSet",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:CreateDistribution",
"cloudfront:DeleteCloudFrontOriginAccessIdentity",
"cloudfront:DeleteDistribution",
"cloudfront:GetCloudFrontOriginAccessIdentity",
"cloudfront:GetCloudFrontOriginAccessIdentityConfig",
"cloudfront:GetDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateCloudFrontOriginAccessIdentity",
"cloudfront:UpdateDistribution",
"cognito-identity:CreateIdentityPool",
"cognito-identity:DeleteIdentityPool",
"cognito-identity:DescribeIdentity",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:SetIdentityPoolRoles",
"cognito-identity:UpdateIdentityPool",
"cognito-idp:CreateUserPool",
"cognito-idp:CreateUserPoolClient",
"cognito-idp:DeleteUserPool",
"cognito-idp:DeleteUserPoolClient",
"cognito-idp:DescribeUserPool",
"cognito-idp:UpdateUserPool",
"cognito-idp:UpdateUserPoolClient",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:GetUser",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:UpdateRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"lambda:RemovePermission",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"s3:*",
"amplify:*"
],
"Resource": "*"
}
]
}
The above policy is associated with the authRole (role when user is authenticated) and is working as expected along with the below code:
public async configureAwsIdentityCredentials(): Promise<boolean> {
const sessionUser = await Auth.currentAuthenticatedUser();
const idToken = sessionUser.signInUserSession.idToken.jwtToken;
const cognitoParams = {IdentityPoolId: environment.appClient.identityPoolId, Logins: {}};
cognitoParams.Logins[environment.cognitoIdpUrl + environment.appClient.userPoolId] = idToken;
AWS.config.credentials = new AWS.CognitoIdentityCredentials(cognitoParams);
return of(true).toPromise();
}
The issue comes in when I need to pull the resources from AWS without an unauthenticated user- I have enabled unauthenticated access on the Identity Pool and attached the above policy to the unauthRole. I am receiving an instance of AWS.ICredentials when running the below code... although when I run the application, I receive an access denied error... below is the snippet for unauthenticated access:
public async configureCurrentCreditialsWithoutLogin(): Promise<boolean> {
const credentials = await Auth.currentCredentials();
AWS.config.credentials = credentials;
return of(true).toPromise();
}
Herewith the textContent for the console error on the image:
ERROR Error: "Uncaught (in promise): AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/amplify-XXXX-unauthRole/CognitoIdentityCredentials is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:eu-west-1::/restapis
Please see the below error events from Cloudtrail (Auth and unauth): Auth:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAUKJTJFOLBWD5XZVSP:CognitoIdentityCredentials",
"arn": "arn:aws:sts::xxx:assumed-role/xxx-authRole/CognitoIdentityCredentials",
"accountId": "xxx",
"accessKeyId": "xxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAUKJTJFOLBWD5XZVSP",
"arn": "arn:aws:iam::xxx:role/xxx-authRole",
"accountId": "xxx",
"userName": "xxx-authRole"
},
"webIdFederationData": {
"federatedProvider": "cognito-identity.amazonaws.com",
"attributes": {
"cognito-identity.amazonaws.com:amr": "[\"authenticated\",\"cognito-idp.eu-west-1.amazonaws.com/eu-west-1_cCdLTN7nA\",\"cognito-idp.eu-west-1.amazonaws.com/eu-west-1_cCdLTN7nA:CognitoSignIn:6c6f8c2e-d7e9-4e31-99dd-0c46898fd9a2\"]",
"cognito-identity.amazonaws.com:aud": "eu-west-1:2a0fcef4-dd19-4db5-955f-5e1a2865f821",
"cognito-identity.amazonaws.com:sub": "eu-west-1:d5a7dc54-67f9-4b9e-9993-91e2cfa9d624"
}
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-10T14:58:43Z"
}
}
},
"eventTime": "2020-06-10T14:58:44Z",
"eventSource": "apigateway.amazonaws.com",
"eventName": "GetRestApis",
"awsRegion": "eu-west-1",
"sourceIPAddress": "41.113.113.159",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"requestParameters": {
"limit": 20,
"template": false
},
"responseElements": null,
"requestID": "db448c52-dd00-4c51-af23-e3e51c934407",
"eventID": "b6aa7c4b-120e-49a8-b81c-2256f7ee4491",
"readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "xxx"
}
Unauth:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAUKJTJFOLPFSCSBJPE:CognitoIdentityCredentials",
"arn": "arn:aws:sts::xxx:assumed-role/xxx-unauthRole/CognitoIdentityCredentials",
"accountId": "xxx",
"accessKeyId": "xxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAUKJTJFOLPFSCSBJPE",
"arn": "arn:aws:iam::xxx:role/xxx-unauthRole",
"accountId": "xxx",
"userName": "xxx-unauthRole"
},
"webIdFederationData": {
"federatedProvider": "cognito-identity.amazonaws.com",
"attributes": {
"cognito-identity.amazonaws.com:amr": "[\"unauthenticated\"]",
"cognito-identity.amazonaws.com:aud": "eu-west-1:2a0fcef4-dd19-4db5-955f-5e1a2865f821",
"cognito-identity.amazonaws.com:sub": "eu-west-1:05fe8797-163f-4cee-98c1-754ad268d83b"
}
},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-06-10T14:58:00Z"
}
}
},
"eventTime": "2020-06-10T14:58:01Z",
"eventSource": "apigateway.amazonaws.com",
"eventName": "GetRestApis",
"awsRegion": "eu-west-1",
"sourceIPAddress": "169.0.135.161",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::xxx:assumed-role/xxx-unauthRole/CognitoIdentityCredentials is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:eu-west-1::/restapis",
"requestParameters": null,
"responseElements": null,
"requestID": "e9091a88-dc61-4999-8683-336fbf4fbc74",
"eventID": "977ca45c-559e-4a31-9960-41accfb1aaa7",
"readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "xxx"
}
