Reputation: 447
How to get AWS credentials with a UserPools idToken?
Im currently using a USER-POOLS authorizer to get the first 3 tokens for my API:
- idToken
- refreshToken
- accessToken
From here I would like to request credentials to be able to SigV4 request to my already set up API gateway, but first I need to get the requested credentials in order to do the SigV4.
In the docs I found this:
// Set the region where your identity pool exists (us-east-1, eu-west-1)
AWSCognito.config.region = 'us-east-1';
// Configure the credentials provider to use your identity pool
AWSCognito.config.credentials = new AWSCognito.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:009xxxx ...',
});
// Make the call to obtain credentials
AWSCognito.config.credentials.get(function(){
// Credentials will be available when this function is called.
var accessKeyId = AWSCognito.config.credentials.accessKeyId;
var secretAccessKey = AWSCognito.config.credentials.secretAccessKey;
var sessionToken = AWSCognito.config.credentials.sessionToken;
});
To my surprise, the callback is called but the values for the - accessKeyId - secretAccessKey - sessionToken are all null.
I was expecting some kind of method, where I send my first idToken, and based on that I get the credentials, but it looks like this is all figured out under the hood?, anyways it is not working for me.
Upvotes: 2
Views: 1112
Answers (1)
Reputation: 447
After some research, I realised that there is an undocumented way of doing this.
You need to construct this object first:
let url = 'cognito-idp.' + 'identity pool region' + '.amazonaws.com/' + 'your user pool id';
let logins = {};
logins[url] = idTokenJwt; // <- the one obtained before
let params = {
IdentityPoolId: 'the federated identity pool id',
Logins: logins
};
let creds = new AWS.CognitoIdentityCredentials(params);
AWS.config.region = 'us-east-1';
AWS.config.credentials = creds;
creds.get(function (err: any) {
if (!err) {
console.log("returned without error"); // <-- this gets called!!!
// and the values are correctly set!
var accessKeyId = AWS.config.credentials.accessKeyId;
var secretAccessKey = AWS.config.credentials.secretAccessKey;
var sessionToken = AWS.config.credentials.sessionToken;
}
else{
console.log("returned with error"); // <-- might get called if something is missing, anyways self-descriptive.
console.log(err);
}
});
In my case I still had to configure the trust relationship between the role and the identity pool, here the example:
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "your federated identity pool id"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
*You can also replace "authenticated" with "unauthenticated", "graph.facebook.com", "google ...", depending your needs.
Upvotes: 3
Related Questions
- Cognito Userpool as identy provider with client credentials works only after saving in aws console
- How can I access user's data from an identity credential provided by a Cognito identity pool?
- Get identity provider oauth tokens in AWS cognito user pool
- Get Cognito user pool identity in Lambda function
- How to access AWS API after integrated with cognito user pool
- How to use AWS Cognito Userpool token to log into AWS Api gateway?
- AWS Cognito user pool identity REST examples
- Call to AWSCognitoIdentityService.GetId for Cognito User Pools returns "Token is not from a supported provider of this identity pool."
- How to Access User Pools using the Amazon Cognito Identity SDK for Java
- Get current AWS Cognito identity id from supplied credentials