Geek Answers Handbook

AccessDenied: not allowed to execute sts: AssumeRoleWithWebIdentity

I looked at similar problems, but could not solve my problem. I am developing a web application where the user will authenticate using AWS Cognito authentication. Part of the registration is approved, but when I try to log in, I get a "not authorized" exception. I already tried to connect my own policies to my IAM role (authorization sts: AssumeRoleWithWebIdentity), but it does not work. Here's how the code is written right now:

        var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
    onSuccess: function (result) {
        var sts = new AWS.STS({apiVersion: '2011-06-15'});

        var params = {
            RoleArn: 'arn:aws:iam::981601120657:role/Cognito_AliceAuth_Role', /* required */
            RoleSessionName: 'AliceUserSession', 
            WebIdentityToken: result.getIdToken().getJwtToken(), 
            Policy: '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRoleWithWebIdentity", "Resource": "*" } ] }'
        };

        sts.assumeRoleWithWebIdentity(params, function (err, data) {
            if (err)
                console.log(err, err.stack); // ** <-- ERROR HERE
            else
                console.log(data);           // successful response
        });

        //document.getElementById('authForm').submit();
    },
    onFailure: function (err) {
        alert(err);
    }

});

As you can see, I also specified the policy in the code, but I still get the message "AccessDenied: Not authorized to execute sts: AssumeRoleWithWebIdentity". Please help me:/

EDIT:

"Cognito_AliceAuth_Role" : AssumeRoleWithWebIdentityPolicy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Resource": "*"
        }
    ]
}

: GetFederationTokenPolicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:GetFederationToken",
            "Resource": "*"
        }
    ]
}

:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:e4c1833d-a62b-402a-b995-1b2513b04c02"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}
+4
2

, , Cognito, acceptRoleWithWebIdentity.

Cognito, Open Id connect, Cognito, predRoleWithWebIdentity. getCredentialsForIdentity, .

. this, , Cognito.

+2

,

  • .
  • ( 1) .
  • .
  • IAM . AssumeRoleWithWebIdentity .
  • , , .
  • , cognito, aws sdk jwt.

AWS.config.region = "<YOUR_REGION>";

      AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId : '<YOUR_IDENTITY_POOL_ID>', 
        Logins : {
          // Change the key below according to the specific region your user pool is in.
          `cognito-idp.${AWS.config.region}.amazonaws.com/${data.UserPoolId}` : session.getIdToken().getJwtToken()
        }
      });

- https://aws.amazon.com/blogs/developer/authentication-with-amazon-cognito-in-the-browser/

+1

More articles:


All Articles