Search code examples
amazon-web-serviceslambdapolicyamazon-cognito

Not authorized to perform AssumeRoleWithWebIdentity with Cognito User

With AWS-Cognito-Identity-Js I obtain a session ID token session.getIdToken().getJwtToken() for a authenticated Cognito User.

I pass this token to my AWSInitialize function and update the AWS Credentials:

var AWSInitialize = function(token){
  Logins = {};
  Logins['cognito-idp.' + AWSCognito.config.region + '.amazonaws.com/' + poolData.UserPoolId] = token;

  AWS.config.update({
    region: AWSCognito.config.region,
    credentials: new AWS.CognitoIdentityCredentials({
        IdentityPoolId : identityPoolId,
        region: AWSCognito.config.region,
        Logins : Logins
    })
  });
};

This works correctly because now for example I can execute a Lambda-Function on behalf of an authenticated Cognito User.

 var lambda = new AWS.Lambda({});
 lambda.invoke({FunctionName: 'createToken'}, function(err, data) ...

This is possible because in the Cognito_myAppAuth_Role I attached a Policy that allows me to Execute this Lambda-Function:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1471300653000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:eu-west-1:593845191076:function:createToken"
            ]
        }
    ]
}

Now what I am trying to do Is to get Tokens with STS for the same users

For that I attached another policy to Cognito_myAppAuth_Role. It should allow the Cognito Users to call assumeRoleWithWebIdentity:

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1472560044000",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

But when I run this code: 

var sts = new AWS.STS({});

var params = {
  RoleArn: 'arn:aws:iam::593845191076:role/Cognito_myAppAuth_Role', /* required */
  RoleSessionName: "UserName", /* required */
  WebIdentityToken: token, /* required */
};

sts.assumeRoleWithWebIdentity(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

I get the following error:

  AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity

I do not understand why the user is not authorized to perform sts:AssumeRoleWithWebIdentity. To the authenticated Role I attached a STS policy and the Lambda-Policy was also working for the User

Where could be the problem? How can I solve this issue?

Thanks a lot!

Solution

  • I suspect the reason for this failure is that you are trying to use the Cognito Your User Pool token directly with STS. While I no longer work directly on Cognito, I do not believe this will work.

    You should try one of the following:

    1. (recommended) Use the Cognito federated identity calls GetId and GetCredentialsForIdentity to get your temporary credentials. This is what your first block of code is doing under the hood.
    2. Use the Cognito federated identity calls GetId and GetOpenIdToken, then use that token in your AssumeRoleForWebIdentity call.

    Hope this helps.