Cognito/IAM Policies & S3 Get Object

Question

I'm trying to integrate S3 and Cognito into my iOS App, so far not successfully. I believe the error is connected to my IAM Policy for Auth and Unauth users. So here's my policy:

{
  "Version": "2012-10-17",
  "Statement":
   [{
    "Effect":"Allow",
    "Action":"cognito-sync:*",
    "Resource":["arn:aws:cognito-sync:us-east-1:XXXXXXXXXXXX:identitypool/${cognito-identity.amazonaws.com:aud}/identity/${cognito-identity.amazonaws.com:sub}/*"]
  },
  {
      "Effect":"Allow",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::my_bucket",
                   "arn:aws:s3:::my_bucket/*"]
  }
 ]
}

here is where I call S3:

    AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init];
    getObjectRequest.key = KEY;
    getObjectRequest.bucket = BUCKET;

    //default service has been configured previously
    AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration];

    [[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) {
        if(task.error)
        {
            NSLog(@"Error: %@",task.error);
        }
        else
        {
            NSLog(@"Got File");
            NSData *data = [task.result body];
            NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
            NSURL *url = [[NSURL alloc] initWithString:urlString];
            if ([[UIApplication sharedApplication] canOpenURL:url]) {
                [[UIApplication sharedApplication] openURL:url];
            }

        }
        return nil;
    }];

and here is the error:

Error: Error Domain=com.amazonaws.AWSSTSErrorDomain Code=0 "AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity" UserInfo=0x10a23e0a0 {NSLocalizedDescription=AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity}

So, what am I doing wrong?

Answer 1

The error you are experiencing

Not authorized to perform sts:AssumeRoleWithWebIdentity

Is due to an error in your trust policy, not your access policy.

Is this the role that was created as part of the Cognito setup wizard? Did you modify the role in any way? The role created by the Cognito console is pinned to the specific identity pool it was created with. Make sure you are using the role that was created with the identity pool you are using in your application.