I am trying to use amazon cognito with developer authenticated identities. My API is successfully returning an id and token. However, when I use these tokens to upload content to S3 I receive the following error:
Not authorized to perform sts:AssumeRoleWithWebIdentity
Below is my code for setting up the credentials provider.
ZGAWSIdentityProvider *identityProvider = [ZGAWSIdentityProvider new];
[identityProvider setIdentityPoolId:AWS_IDENTITY_POOL_ID];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
initWithRegionType:AWSRegionUSEast1
identityProvider:identityProvider
unauthRoleArn:AWS_UNAUTH_ROLE_ARN
authRoleArn:AWS_AUTH_ROLE_ARN];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSWest1
credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
And I am using the template provided at http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#create-an-identity-pool-that-supports-developer-authenticated-identities to create the identity provider.
@implementation ZGAWSIdentityProvider
@synthesize identityPoolId=_identityPoolId;
@synthesize identityId=_identityId;
@synthesize token=_token;
- (BFTask *)getIdentityId {
// Should ensure that identityId property is valid. The below code can probably
// be used for most use cases.
if (self.identityId) {
return [BFTask taskWithResult:nil];
} else {
return [[BFTask taskWithResult:nil] continueWithBlock:^id(BFTask *task) {
if (!self.identityId) {
return [self refresh];
}
return nil;
}];
}
}
- (BFTask *)refresh {
BFTaskCompletionSource *task = [BFTaskCompletionSource taskCompletionSource];
__weak __typeof(self)weakSelf = self;
[[ZGAccountController sharedInstance] getAWSCredentialsWithCompletion:^(NSDictionary *credentials) {
if (credentials && [credentials objectForKey:@"identity_id"] && [credentials objectForKey:@"identity_id"]) {
__strong __typeof(weakSelf)strongSelf = weakSelf;
strongSelf.identityId = [credentials objectForKey:@"identity_id"];
strongSelf.token = [credentials objectForKey:@"token"];
[task setResult:nil];
} else {
NSError *error = [NSError errorWithDomain:@"com.##.##" code:-1 userInfo:nil];
[task setError:error];
}
}];
return task.task;
}
@end
It appears to be an issue with Role Trust. I created the identity pool using the amazon web interface and have double checked that the identity pool id is correct. I have been able to successfully upload w unauthenticated identities, so I believe is not a role permissions issue.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…