AWS Cognito: Access to Identity is forbidden when calling getOpenIdToken()

Question

After successfully obtaining a cognito identity, we then try to get an openIdToken()

AWS.config.credentials.get(function(err) {
    if (!err) {
      var cognitoIdentity = new AWS.CognitoIdentity();
      cognitoIdentity.getOpenIdToken({IdentityId: AWS.config.credentials.identityId}, function(err, data) {
        if (err) console.log(err, err.stack); // an error occurred
        else     console.log(data);           // successful response
      });

    } else {
      console.log('cognito error: ' + err);
    }
  });

However this fails with:

"NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.

Full error trace:

    POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
    aws-sdk.min.js:5 [AWS cognitoidentity 400 0.192s 0 retries] getOpenIdToken({IdentityId: 'us-east-1:xxxxx' })
routing.html:64 Error: Access to Identity 'us-east-1:xxxxx' is forbidden.
    at a (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:3548)
    at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28594)
    at r.SequentialExecutor.r.util.inherit.emit (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28390)
    at a.Request.n.emitEvent (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16483)
    at u.setupStates.e (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12946)
    at r.runTo (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25031)
    at https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25238
    at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12982)
    at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16538)
    at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28607) "NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.

Answer 1

The two most common reasons for this error are:

• You haven't setup the roles correctly in the identity pool configuration.
• You are trying to get token for an authenticated identity without providing the token from the identity provider.

Please check your code for both the scenarios above, if error still persists, please PM me your identityId/identityPoolId and I will be happy to dig deeper.

Thanks,
Rachit