Reputation: 2728
How to specify Amazon AWS User Pool in trust relationship with Cognito Identity
I have AWS Cognito User Pool logins working, and I have a Federated Identity Pool with the User Pool connected and specified as the authentication provider in the console.
But now I am trying to get trust working between the Cognito User Pool and the Cognito Identity Pool.
In the code snippet below you can see my trust relationship for the unauthenticated role. (The authenticated role version matches exactly at the moment, eventually it won't but I made them the same and gave both roles privileges in an attempt to see it work). xxxx is the CognitoIdentityId that is pre-filled, and yyyy is my account number and zzzz is the Cognito User Pool ID.
I keep getting errors when I try to create the trust relationship and use the app. Here is the most common error:
getCredentialsWithCognito:authenticated:customRoleArn:]_block_invoke | GetCredentialsForIdentity failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=InvalidIdentityPoolConfigurationException, message=Invalid identity pool configuration. Check assigned IAM roles for this pool.}]
2016-08-29 21:50:11.634 signin[7778:1222711] AWSiOSSDK v2.4.7 [Error] AWSCredentialsProvider.m line:577 | __44-[AWSCognitoCredentialsProvider credentials]_block_invoke.352 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=InvalidIdentityPoolConfigurationException, message=Invalid identity pool configuration. Check assigned IAM roles for this pool.}]
The trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxx”,
"cognito-idp.amazonaws.com:aud": "arn:aws:cognito-idp:us-east-1:yyyyyyyy:userpool/zzzzzzzzz”
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated",
"cognito-idp.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
Part of the problem may be that I don't understand the format of the "cognito-idp.amazonaws.com:aud": "cognito-idp.amazonaws.com:aud" line. I suspect that I should be changing the format in some way or specifying a different domain of amazonaws.com as the aud, but I have tried a dozen combinations and failed.
So the question is: How to specify the trust relationship.
And a subsidiary question is: Is the idea that if my user authenticates with the user pool, and if the trust relationship is specified properly, that my user will take on the roles that specify that trust? Or does the user only take on one role somehow, and how is that role chosen by Cognito if multiple trust relationships exist?
Upvotes: 2
Views: 3276
Answers (1)
Reputation: 226
There are three problems here in the trust relationship policy,
- "cognito-idp.amazonaws.com:aud" is not needed, this role is assumed by identity pool, user pool is just a provider, it's not relevant anymore
- "cognito-idp.amazonaws.com:amr" is not needed
- If this is an authenticated role, the amr should be authenticated instead of unauthenticated
Upvotes: 0
Related Questions
- AWS Cognito User Pool - "Value null at 'userName' failed to satisfy constraint: Member must not be null" - iOS
- Cognito User Pool - Linked providers how to authenticate
- AWS-Cognito: How to assign user roles in the user pool?
- AWS Cognito User Pools in iOS (Swift) app
- AWS Cognito Authenticated Credentials IOS Swift 2.3 - 3 (Integrating User Pool & Identity Pool)
- How to set Cognito User Pool User DeviceAttributes
- How do I integrate cognito user pool with identity pool?
- AWS: How to properly authenticate a user against Cognito Pool and use it for Cognito Federated Identity?
- How to integrate Cognito User Pools with Cognito Federated Identity Pools
- Using Amazon Cognito Identity User Pools