drfence
Reputation: 1567
AWS Cognito: Access to Identity is forbidden when calling getOpenIdToken()
After successfully obtaining a cognito identity, we then try to get an openIdToken()
AWS.config.credentials.get(function(err) {
if (!err) {
var cognitoIdentity = new AWS.CognitoIdentity();
cognitoIdentity.getOpenIdToken({IdentityId: AWS.config.credentials.identityId}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
} else {
console.log('cognito error: ' + err);
}
});
However this fails with:
"NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.
Full error trace:
POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
aws-sdk.min.js:5 [AWS cognitoidentity 400 0.192s 0 retries] getOpenIdToken({IdentityId: 'us-east-1:xxxxx' })
routing.html:64 Error: Access to Identity 'us-east-1:xxxxx' is forbidden.
at a (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:3548)
at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28594)
at r.SequentialExecutor.r.util.inherit.emit (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28390)
at a.Request.n.emitEvent (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16483)
at u.setupStates.e (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12946)
at r.runTo (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25031)
at https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25238
at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12982)
at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16538)
at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28607) "NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.
Upvotes: 7
Views: 9079
Answers (1)
Rachit Dhall
Reputation: 1661
The two most common reasons for this error are:
- You haven't setup the roles correctly in the identity pool configuration.
- You are trying to get token for an authenticated identity without providing the token from the identity provider.
Please check your code for both the scenarios above, if error still persists, please PM me your identityId/identityPoolId and I will be happy to dig deeper.
Thanks,
Rachit
Upvotes: 6
Related Questions
- AWS Cognito; unauthorized_client error when hitting /oauth2/token
- AWS cognito returning - 'Invalid Login Token. Not a Cognito Token'
- CognitoIdentityCredentials not providing access
- OAuth Cognito ID token unauthorized
- "Access token does not contain openid scope" in AWS Cognito
- AWS cognito: "Access token does not contain openid scope"
- Cognito getId: NotAuthorizedException: Invalid login token. Not a valid OpenId Connect identity token
- AWS Cognito NotAuthorizedException A client attempted to write unauthorized attribute
- AmazonCognitoIdentity AccessDeniedException
- Invalid access key error using credentials redeemed from an amazon open id token