Reputation: 2646
I'm at the end of my rope with this issue. I've been trying to authenticate a Facebook logged in user from Firebase so I can allow image uploads to an S3 bucket. I've poured over the documentation, sample codes, blog entries, etc. But I keep getting the following error:
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity
This is the documentation I followed with no success: External Identity Providers » Facebook
I've also read this blog entry several times Understanding Amazon Cognito Authentication and this quote appears to be what's happening:
If you see this, double check that you are using an appropriate role for your identity pool and authentication type.
I understand what it's saying, but I can't find the solution. I don't wish to store the users, I just want to authenticate and get the temporary credentials. Here's my code, role, and policy files.
JavaScript
AWS.config.update({
region: bucketRegion,
credentials: new AWS.CognitoIdentityCredentials({
IdentityPoolId: IdentityPoolId,
Logins: {
'graph.facebook.com': 'my-valid-auth-token-from-fb-after-login'
}
})
});
AWS.config.credentials.get(function(err) {
// error here
}
Authenticated IAM Role Policy - Inline
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "myuserBucketActions",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "myuserListBucket",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {
"s3:prefix": "folder-in-bucket/*"
}
}
},
{
"Sid": "myuserObjectActions",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name/folder-in-bucket/*"
}
]
}
Trust Relationship for IAM Role Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "graph.facebook.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"graph.facebook.com:appId": "FACEBOOK_APP_ID"
}
}
}
]
}
I have the proper FB App ID in the trust relationship and in the authentication providers in my pool. I also have the above auth role selected under Authenticated role in my pool. I'm also not allowing unauthenticated identities.
I honestly don't know what's going wrong. At this point I'm throwing spaghetti at the wall to see what sticks.
Quick side question: If I can't get this to work and go with unauthenticated users, then switch to authenticated, what are the potential ramifications?
Thanks for any help you can give me!
Upvotes: 1
Views: 542
Reputation: 1661
Seems like the trust relationship does not allow you to call sts:AssumeRoleWithWebIdentity.
Can you replace
"Condition": {
"StringEquals": {
"graph.facebook.com:appId": "FACEBOOK_APP_ID"
}
}
}
by this
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "graph.facebook.com"
}
Also replace
"Principal": {
"Federated": "graph.facebook.com"
}
by
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
}
Upvotes: 2