Search code examples
javascriptamazon-web-servicesamazon-s3aws-sdk-js

"The AWS Access Key Id you provided does not exist in our records" during a federation with Salesforce

I'm trying to establish a federation among Amazon and Salesforce, in this way: if a user correctly authenticates through Salesforce it will see all S3 buckets in the given account.

Quite simple, I followed this blog post and changed something (i.e. I don't use a DyanamoDb table and the callback is for simplicity inside an S3 bucket). The flow that I'm trying to implement is called Enhanced (simplified) flow (details here):

Enhanced simplified flow

I slightly modified the callback code compared to the article:

function onPageLoad() {
    var url = window.location.href;
    var match = url.match('id_token=([^&]*)');
    var id_token = "";

    if (match) {
        id_token = match[1];
    } else {
        console.error("Impossibile recuperare il token");
    }

    AWS.config.region = "eu-west-1"
    const cognitoParams = {
        AccountId: "ACC_ID",
        IdentityPoolId: "eu-west-1:XXX",
        Logins: {
            "login.salesforce.com": id_token
        }
    }

    const identity = new AWS.CognitoIdentity()

    identity.getId(cognitoParams, function (err, identityData) {
        if (err) {
            printMessage(err);
            return;
        }

        const identityParams = {
            IdentityId: identityData.IdentityId,
            Logins: cognitoParams.Logins
        }

        identity.getCredentialsForIdentity(identityParams, function (err, data) {
            if (err) {
                printMessage(err);
            } else {
                var c = {
                    region: 'eu-west-1',
                    accessKeyId: data.Credentials.AccessKeyId,
                    secretAccessKey: data.Credentials.SecretKey
                };
                var s3 = new AWS.S3(c);

                // HERE IS THE ERRORE - data is empty and response contains the error
                s3.listBuckets((response, data) => {
                    data.Buckets.forEach(function (value) { appendMessage(value.Name) })
                });
            }
        });
    });

    // IRRELEVANT CODE
}

I can get the token from Salesforce, I can get the access and secret keys but when I try to list the buckets I get a laconic:

The AWS Access Key Id you provided does not exist in our records.

I found this error reasonable since I have no user at all and the keys are created on-the-fly. Where can I hit my head? The SDK is 2.103.0.

Solution

    1. Could be due to eventual consistency of IAM, can you try to include a delay before calling the listbucket api or make the request to us-east-1 endpoint?
      http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-service2.

      1. GetCredentialsForIdentity returns temporary credentials. So you should include AccessKeyId, SecretKey and SessionToken to make the request. http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html Hope this helps.