Reputation: 47911
Invalid access key error using credentials redeemed from an amazon open id token
I'm getting Invalid access key error using credentials redeemed from an amazon open id token from cognito
Here's what I'm doing
Get developer authenticated open id token
cognito.getOpenIdTokenForDeveloperIdentity(params, function (err, data) {
openIdToken = data.credentials });
Redeem open id token for security credentials, I set the params to the congnito Auth role and set an arbitrary role session name. I use the token from step 1. There is no place where I set the identity id from step 1.
it('should be able to exchange temporary open id token for auth credentials', function (done) { var sts = new AWS.STS(); var params = { RoleArn: roleArn, RoleSessionName: 'photo-upload-session', WebIdentityToken: openIdToken.Token }; sts.assumeRoleWithWebIdentity(params, function(err, data) { should.not.exist(err); should.exist(data.Credentials.AccessKeyId); should.exist(data.Credentials.SecretAccessKey); should.exist(data.Credentials.SessionToken); credentials = data.Credentials; done(); }); });I update the current credentials
AWS.config.update({accessKeyId : credentials.AccessKeyId, secretAccessKey:credentials.SecretAccessKey});I upload a file to s3 and get the
[InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.]error
*edit using Bob Kinney's advice I tried two methods - setting the sessionToken (which worked) and using the Congito credentials which gave a TypeError not a buffer error. The CognitoIdentityCredentials example is below.
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId:config.get('aws_identity_pool_id'),
Logins: {
'cognito-identity.amazonaws.com': openIdToken.Token
}
});
var body = fs.createReadStream(__dirname + '/test_photo.jpg');
var s3obj = new AWS.S3({params: {Bucket: 'test-uploads', Key: 'test'}});
s3obj.upload({Body: body}).
on('httpUploadProgress', function(evt) { console.log(evt); }).
send(function(err, data) {
should.not.exist(err);
done();
});
** update
So moving back to the java client error, we are using the openid token (which was tested to be working correctly with the sts.assumeRoleWithWebIdentity) and passing that token into an extension of AWSAbstractCognitoIdentityProvider (code taken from this link http://docs.aws.amazon.com/cognito/devguide/identity/developer-authenticated-identities/) - then using that identity to upload to s3 getting the error
CustomAwsIdentityProvider provider = CustomAwsIdentityProvider.newInstance(this, BuildConfig.AWS_COGNITO_POOL_ID, Regions.US_EAST_1);
CognitoCachingCredentialsProvider credentialsProvider = new CognitoCachingCredentialsProvider(this, provider, Regions.US_EAST_1);
TransferManager tm = new TransferManager(credentialsProvider);
tm.upload("my-upload", uuid.toString(), file);
Upvotes: 2
Views: 2267
Answers (1)
Reputation: 9030
Sorry for the issues. It appears you are using the JavaScript SDK. When using this flow you can use the standard AWS.CognitoIdentityCredentials object as mentioned in the developer guide using the key of cognito-identity.amazonaws.com and the value as the OpenId Connect token returned from the getOpenIdTokenForDeveloperIdentity call.
The reason for the error you are seeing is that you are not including the sessionToken from the STS result. Using the AWS.CognitoIdentityCredentials object should resolve this for you.
Update 2015-07-21: There is a small issue in the SDK that will unfortunately prevent AWS.CognitoIdentityCredentials from working as I described it. We are working on mitigating this issue.
Update 2015-07-24: You should be able to use the following to use the AWS.CognitoIdentityCredentials with your developer authenticated identiity:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'MY_IDENTITY_POOL',
IdentityId: data.IdentityId,
Logins: {
'cognito-identity.amazonaws.com': data.Token
}
});
Where data is the response from GetOpenIdTokenForDeveloperIdentity.
Upvotes: 2
Related Questions
- AWS cognito returning - 'Invalid Login Token. Not a Cognito Token'
- Cognito login with tokens
- OAuth Cognito ID token unauthorized
- "Access token does not contain openid scope" in AWS Cognito
- AWS cognito: "Access token does not contain openid scope"
- AWS Cognito: invalid token signature, could not match the desired key identifier within the list of keys
- Cognito getId: NotAuthorizedException: Invalid login token. Not a valid OpenId Connect identity token
- AmazonCognitoIdentity AccessDeniedException
- AWS Cognito TOKEN endpoint fails to convert authorization code to token
- AWS Cognito: Access to Identity is forbidden when calling getOpenIdToken()