Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cognito/IAM Policies & S3 Get Object

I'm trying to integrate S3 and Cognito into my iOS App, so far not successfully. I believe the error is connected to my IAM Policy for Auth and Unauth users. So here's my policy:

{
  "Version": "2012-10-17",
  "Statement":
   [{
    "Effect":"Allow",
    "Action":"cognito-sync:*",
    "Resource":["arn:aws:cognito-sync:us-east-1:XXXXXXXXXXXX:identitypool/${cognito-identity.amazonaws.com:aud}/identity/${cognito-identity.amazonaws.com:sub}/*"]
  },
  {
      "Effect":"Allow",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::my_bucket",
                   "arn:aws:s3:::my_bucket/*"]
  }
 ]
}

here is where I call S3:

    AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init];
    getObjectRequest.key = KEY;
    getObjectRequest.bucket = BUCKET;

    //default service has been configured previously
    AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration];

    [[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) {
        if(task.error)
        {
            NSLog(@"Error: %@",task.error);
        }
        else
        {
            NSLog(@"Got File");
            NSData *data = [task.result body];
            NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
            NSURL *url = [[NSURL alloc] initWithString:urlString];
            if ([[UIApplication sharedApplication] canOpenURL:url]) {
                [[UIApplication sharedApplication] openURL:url];
            }

        }
        return nil;
    }];

and here is the error:

Error: Error Domain=com.amazonaws.AWSSTSErrorDomain Code=0 "AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity" UserInfo=0x10a23e0a0 {NSLocalizedDescription=AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity}

So, what am I doing wrong?

like image 944
C. Porto Avatar asked Aug 14 '14 13:08

C. Porto


1 Answers

The error you are experiencing

Not authorized to perform sts:AssumeRoleWithWebIdentity

Is due to an error in your trust policy, not your access policy.

Is this the role that was created as part of the Cognito setup wizard? Did you modify the role in any way? The role created by the Cognito console is pinned to the specific identity pool it was created with. Make sure you are using the role that was created with the identity pool you are using in your application.

like image 79
Bob Kinney Avatar answered Oct 17 '22 03:10

Bob Kinney