hybrid9
hybrid9

Reputation: 2646

AWS Cognito does not authenticate using Federated Identity

I'm at the end of my rope with this issue. I've been trying to authenticate a Facebook logged in user from Firebase so I can allow image uploads to an S3 bucket. I've poured over the documentation, sample codes, blog entries, etc. But I keep getting the following error:

Error: Not authorized to perform sts:AssumeRoleWithWebIdentity

This is the documentation I followed with no success: External Identity Providers » Facebook

I've also read this blog entry several times Understanding Amazon Cognito Authentication and this quote appears to be what's happening:

If you see this, double check that you are using an appropriate role for your identity pool and authentication type.

I understand what it's saying, but I can't find the solution. I don't wish to store the users, I just want to authenticate and get the temporary credentials. Here's my code, role, and policy files.

JavaScript

AWS.config.update({
  region: bucketRegion,
  credentials: new AWS.CognitoIdentityCredentials({
  IdentityPoolId: IdentityPoolId,
  Logins: {
      'graph.facebook.com': 'my-valid-auth-token-from-fb-after-login'
    }
  })
});

AWS.config.credentials.get(function(err) {
    // error here
}

Authenticated IAM Role Policy - Inline

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "myuserBucketActions",
        "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucketMultipartUploads"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucket-name"
    },
    {
        "Sid": "myuserListBucket",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucket-name",
        "Condition": {
            "StringLike": {
                "s3:prefix": "folder-in-bucket/*"
            }
        }
    },
    {
        "Sid": "myuserObjectActions",
        "Action": [
            "s3:AbortMultipartUpload",
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucket-name/folder-in-bucket/*"
    }
  ]
}

Trust Relationship for IAM Role Policy

{
  "Version": "2012-10-17",
  "Statement": [
{
  "Sid": "",
  "Effect": "Allow",
  "Principal": {
    "Federated": "graph.facebook.com"
  },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringEquals": {
      "graph.facebook.com:appId": "FACEBOOK_APP_ID"
    }
   }
  }
 ]
}

I have the proper FB App ID in the trust relationship and in the authentication providers in my pool. I also have the above auth role selected under Authenticated role in my pool. I'm also not allowing unauthenticated identities.

I honestly don't know what's going wrong. At this point I'm throwing spaghetti at the wall to see what sticks.

Quick side question: If I can't get this to work and go with unauthenticated users, then switch to authenticated, what are the potential ramifications?

Thanks for any help you can give me!

Upvotes: 1

Views: 542

Answers (1)

Rachit Dhall
Rachit Dhall

Reputation: 1661

Seems like the trust relationship does not allow you to call sts:AssumeRoleWithWebIdentity.

Can you replace

"Condition": {
    "StringEquals": {
      "graph.facebook.com:appId": "FACEBOOK_APP_ID"
    }
   }
  }

by this

"ForAnyValue:StringLike": {
  "cognito-identity.amazonaws.com:amr": "graph.facebook.com"
}

Also replace

 "Principal": {
    "Federated": "graph.facebook.com"
  }

by

"Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      }

Upvotes: 2

Related Questions