Java SDK Cognito authentification with IAM user

0

Hello, I'm working on a custom java connector to manage a Cognito userPool. I'm using java SDK documentation to do so (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/cognitoidentityprovider/package-summary.html).

I have created a dedicated IAM user with all permissions on :

"cognito-idp:*","cognito-identity:*","cognito-sync:*"

That's why I'm trying to test the authentification to the userPool by listing users in the userPool with the following function :

	public ListUsersResponse listUsers(final Consumer<ListUsersRequest.Builder> listUsersRequest) {
		log.debug("begin list users");

		return getCognitoClient().listUsers(ListUsersRequest.builder()
				.userPoolId(getAwsCognitoId()).applyMutation(listUsersRequest).build());
	}

where getCognitoClient() is a function that returns an object of type CognitoIdentityProviderClient. To authenticate I'm using a credentialProvider with sercretKeyID/ secretAccessKey.

But I'm getting a 403 error in return : Service returned HTTP status code 403 (Service: CognitoIdentityProvider, Status Code: 403, Request ID: null)

Can anyone help me set the correct permissions to give to my IAM account?

1 Answer
0

Hi Emma,

when you're having IAM related errors and problems, the first element to check is CloudTrail where you can get more details (especially missing/incorrect actions) compared to the API output.

Then, on your specific error, everything seems ok at first, the ListUsers action is under cognito-idp service prefix so your role should be good. I'd suspect the role you defined is not used in your code, can you check ?

profile pictureAWS
answered 2 months ago
  • Hello Pierre-Yves,

    I can't see any activity related to my service account on CloudTrail, it seems to log only my personal user connection to the aws console.

    I'm pretty sure I use the IAM role to authenticate as when I change the role name I have an error like : User: arn:aws:iam::<accountId>:user/<accoutName> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<accountId>:role/<roleWrongName> (Service: Sts, Status Code: 403, Request ID: <requestId>)

    I also use the correct secretID/key because I have this error if I change them to an incorrect one : The security token included in the request is invalid. (Service: Sts, Status Code: 403, Request ID: <requestId>)

    Is there any restriction if I grant rights to the IAM user in several different ways (role, directly, policy)?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions