AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Not getting aws credentials from identity pool, If I add principal tag

0

Hello,

I am facing a weird problem, I have an Identity pool, and a user-pool attached to as an authentication provider. And I can get temporary aws credentials using getCredentialsForIdentity() API. But when I am adding a principal tag to the identity pool( more precisely in the authentication provider section) and trying to get temporary aws credentials using getCredentialsForIdentity() API, I am getting the following error:

InvalidIdentityPoolConfigurationException: Invalid identity pool configuration. Check assigned IAM roles for this pool.

Can you please help me with this? Thanks in advance.

주제
개발자 도구보안, 신원 및 규정 준수
태그
AWS CodeCommitAWS 자격 증명 및 액세스 관리아마존 코그니토 페더레이션 자격 증명
언어
English
rePost-User-3897276
질문됨 일 년 전395회 조회
1개 답변
0

Hello,

Thank you for reaching out to us.

As per error message displayed, the issue could be with IAM roles assigned to your identity pool. However, such error messages are also displayed if we try to add a Tag key for principal which tries to reference an Attribute name represented as array within your Id Token.

For example: If we try to map Attribute names such as "cognito:roles" and "cognito:groups" which are passed as array elements in JWT Id token, in such cases we receive this errors.

Sample decoded Id token showing array elements which cannot be referenced in Attribute name:

"cognito:groups": [
    "test-group"
  ]

"cognito:roles": [
    "arn:aws:iam::1234567890:role/test-role"
]

This is because the custom mapping for identity pool cannot parse the array elements.

In case if you are facing this error message for a specific scenario apart from the one discussed above then please feel free to create a case with us to get it examined for errors.

AWS
지원 엔지니어
Vinay
답변함 일 년 전
  • rePost-User-3897276
    일 년 전

    Hello Vinay, thanks for your support. Actually I have two questions on this.

    1. If I can just remove the principal tag from identity-pool, I am not getting this error, I can successfully create AWS credentials using getCredentialsForIdentity() API, so if this is an IAM role issue, should not i face this issue every time?!

    2. I am not trying to add a Tag key for principal which tries to reference an Attribute name represented as array within my Id Token. I am trying to reference an attribute named custom:org_id, which is a string located in a payload object. Sharing the object structure with you as well. { "status": 201, "message": { "idToken": { "jwtToken": "...", "payload": { "sub": "...", "email_verified": true, "iss": "...", "custom:org_id": "bt001arnab51", "cognito:username": "...", "origin_jti": "...", "aud": "...", "event_id": "...", "token_use": "id", "auth_time": 1681973893, "exp": 1681977493, "iat": 1681973893, "jti": "...", "email": "..." } }, "refreshToken": { "token": "..." }, "accessToken": { "jwtToken": "...", "payload": { ... } }, "clockDrift": 0 } }

    Can you please help me with this?! And if I need to create a case, can you let me know, how can I do that?! Thanks in advance.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠