Reputation: 405
How and what should i pass in order to get value for { cognito-identity.amazonaws.com:aud } to IAM role?
What I have done so far is- I have signed in user with Cognito identity, in return i get a 'session token' which contains 'aud' inside it. But while I pass token through headers, it's not recognizing. Its send back error,
message: 'User: arn:aws:sts::4954355577:assumed-role/multi-test-application-dev-us-east-1-lambdaRole/multi-test-application-dev-list is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:4954355577:table/tenantTable',
Or Is this a wrong way? So if its wrong, What and How should I pass the data in order to get aud inside the IAM role for ${cognito-identity.amazonaws.com:aud}?
Upvotes: 0
Views: 588
Answers (1)
Reputation: 405
We cannot pass the aud as a global variable or an env variable. Once we get the credentials from an identity pool, which is the secret token, access key id, and session token. We need to create dynamodb instance using these credentials. So whenever we use dynamodb, the aud will be set as identity pool id.
Upvotes: 0
Related Questions
- How to get user attributes (username, email, etc.) using cognito identity id
- How to assign a role to an iam user?
- Assume IAM role from Cognito group
- How to get the ARN Value of IAM Role in AWS
- Get CognitoId from Authenticated User
- Can Lambda assume an IAM role with a cognito userId condition?
- Best practice to retrieve IAM role temporary credentials
- IAM Policy variables not recognised - ${cognito-identity.amazonaws.com:sub}
- Unable to get aws credentials from IAM role
- AWS Cognito finding right Parameters for CognitoSyncDemo