I'm getting the following error when using sts:AssumeRoleWithWebIdentity
An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements
I found the AWS support Article : How can I resolve the AWS STS AssumeRoleWithWebIdentity API call error "InvalidIdentityToken"? where it does state
This error can occur if:
The .well_known URL and jwks_uri of the identity provider (IdP) are inaccessible from the public internet.
which is indeed my case.
Is there any way to tell STS to contact the https://xxxxx/.well-known/openid-configuration via my VPC instead?
Related
I am getting below error while running Azure DevOps Pipeline. I have added correct AWS 'Access key' and 'Secret Access key'. However it is still failing.
I checked from backend windows server. It is working fine manually but giving below error when I run the pipeline. Not sure what is missing, can please you suggest ?
Note: I am using IAM role to access the AWS environment and providing 'keys' of same role
An error occurred (SignatureDoesNotMatch) when calling the AssumeRole operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
Cannot index into a null array.
I have created a sample custom app on AWS SSO and tried to authorize users with SAML.
The workflow is as follows:
User clicks custom app logo on SSO console and starts authentication flow. SAML IDP endpoint in this case is the endpoint which was created during custom application creation. Works ok.
AWS redirects to the defined ACS (Nest.js backend API server on localhost) with SAML Response. This also works ok. Response seems to be valid and includes all attributes etc.
Backend API validates the response and calls STS with AssumeRoleWithSAML command which sends the aforementioned SAML response to STS with role and principal ARNs. IDP endpoint is an accounts identity provider which has been created by AWS SSO. This does not work. It produces the following error:
An error occurred (InvalidIdentityToken) when calling the
AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service:
AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException; Request ID:
55120f74-c9e8-4dac-b416-370b771339e5; Proxy: null)
So basically the problem is that AWS do not accept or is not able to process SAML response which was created by AWS.
What I do not understand here? Different issuer IDs or certificates causing the error?
Should I modify the SAML response before sending it back to AWS?
Edit: I made some changes to attribute mappings (see comments to this message) and it helped. However,now I get another type of error message:
InvalidIdentityToken: Issuer not present in specified provider
(Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException;
I resolved this problem by creating a new identity provider on AWS IAM console and using the same custom application SSO meta data.
C:\>aws organizations enable-aws-service-access --service-principal cloudformation.amazonaws.com
An error occurred (InvalidInputException) when calling the EnableAWSServiceAccess operation: You specified an unrecognized service principal.
C:\>aws organizations enable-aws-service-access --service-principal "cloudformation.amazonaws.com"
An error occurred (InvalidInputException) when calling the EnableAWSServiceAccess operation: You specified an unrecognized service principal.
C:\>aws organizations enable-aws-service-access --service-principal 'cloudformation.amazonaws.com'
An error occurred (InvalidInputException) when calling the EnableAWSServiceAccess operation: You provided a value that does not match the required pattern.
Any idea what is wrong?
According to the docs here
--service-principal (string)
The service principal name of the AWS service for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com .
I tried with
"s3.amazonaws.com"
"ec2.amazonaws.com"
"elasticbeanstalk.amazonaws.com"
"autoscaling.amazonaws.com"
as service-principal. But all gave the same error.
It works in the console though.
AWS Console -> CloudFormation -> StackSets -> Enable trusted access.
The EnableAWSServiceAccess is for:
When you enable integration, you allow the specified service to create a service-linked role in all the accounts in your organization. This allows the service to perform operations on your behalf in your organization and its accounts.
The reason it fails, I think, is that CloudFormation does support service-linked roles. You can verify that in this tablehttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html.
Also it works in console because you are enabling it for StackSets, not the CloudFormation itself. CloudFormation does not support trusted access with your organization as listed in the docs. Only AWS CloudFormation Stacksets supports it.
What's more it only works though console:
You can enable trusted access using either the AWS CloudFormation console or the AWS Organizations console.
You can't do this using CLI or SDK.
You can use the following
aws organizations enable-aws-service-access --service-principal member.org.stacksets.cloudformation.amazonaws.com
I'm having trouble implementing GetCallerIdentity with AWS within my application. When I try to generate temporary credentials, the server console returns the error InvalidClientTokenId: The security token included in the request is invalid.
I've been looking at the AWS documentation and I'm wondering if I've set up my IAM user incorrectly. The documentation says;
The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM APIs unless MFA authentication information is
included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
Does this mean I can't use IAM accounts with the below example? I'm building in meteor js and I'm trying to implement a package called SlingShot. The documentation doesn't mention errors like this.
var sts = new AWS.STS();
sts.getSessionToken({
DurationSeconds: duration
}, function (error, result) {
console.log('error', error);
callback(error, result && result.Credentials);
});
I am trying to send an authenticated request to AWS API Gateway. The clients will authenticate against Cognito Your User Pools, and then obtain a token from an associated Cognito Identity Pool corresponding to the logged-in user in the user pool. I am trying to simulate such a request using Postman.
This post suggests that the command aws cognito-identity get-credentials-for-identity can be used to get the AccessKeyId and SecretKey needed for Postman to sign the request. However, when I try to run it with the sub attribute for a user from the Cognito User Pool console:
$ aws cognito-identity get-credentials-for-identity --identity-id aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
An error occurred (ValidationException) when calling the GetCredentialsForIdentity operation: 1 validation error detected: Value 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' at 'identityId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w-]+:[0-9a-f-]+
$ aws cognito-identity get-credentials-for-identity --identity-id us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
An error occurred (ResourceNotFoundException) when calling the GetCredentialsForIdentity operation: Identity 'us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' not found.
The same thing happens if I try to use an identity ID from the associated identity pool shown in the AWS Console (I selected one that has 2 "linked logins").
You need to pass along the login map :
--logins (map)
A set of optional name-value pairs that map provider names to
provider tokens.
Shorthand Syntax:
KeyName1=string,KeyName2=string
JSON Syntax:
{"string": "string"
...}
This syntax worked for me:
aws cognito-identity get-credentials-for-identity \
--identity-id us-east-1:aaaa-bbb-ccc-bc54-rrrrrrr \
--logins graph.facebook.com=kdajbdjkabkjbkjbkdbsckslcjxb
Note: --identity-id is not the identity pool id, its the identity from the identity browser.
API gateway now has native integration with 'Cognito Your User Pool', so you can pass the identity token directly - api gateway docs. The post you have linked is outdated