Does AWS CLI cognito-idp initiate-auth support the USER_PASSWORD_AUTH flow for federated users from an external IdP (SAML provider)?
When I try to run initiate-auth, I am getting the below errors.
aws cognito-idp initiate-auth --region us-east-1 --auth-flow USER_PASSWORD_AUTH --client-id <my_client_id> --auth-parameters USERNAME=<username>,PASSWORD=<password>
An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: User is not authorized to get auth details.
As a debugging step, I created a local user in the userpool, and using that I am able to get an AuthenticationResult back.
Also, the username and password work with a browser flow. (It redirects to my app url with the code) when triggered from the Launch Hosted UI link.
Am I missing something in the configuration?
Most likely, USER_PASSWORD_AUTH is disabled for federated users. The federated users have Confirmation status set to External Provider and these users can only login using the 3rd party identity provider.
The problem may be solved using Account linking.
Documentation: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html
I want to know if initiate-auth is supported for federated users but for CUSTOM_AUTHENTICATION. My research so far shows that this is not possible.
Related
I am following the instructions to get AWS SSO working: https://www.gitpod.io/guides/integrate-aws-cli-ecr
I'm not sure about what the AWS_ROLE_NAME gitpod variable should be. I feel like I'm getting this wrong, because signing in with:
aws sso login --no-browser
and then aws sts get-caller-identity
I get An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access
I've set it to an IAM role name which should have admin access.
resolved - AWS_ROLE_NAME needed to be set to AWSPowerUserAccess or other permission set name, which you can find in https://us-east-1.console.aws.amazon.com/iamv2/#/organization/permission-sets
also, don't forget to go to https://us-east-1.console.aws.amazon.com/iamv2/home#/organization/accounts click on an account and assign the SSO user to the account with an appropriate permission set.
Executing import amplify auth for Cognito User Pool and Identity Pool and passing on the Web Client as well as the Native client fails with the below Error. Is there something that is missing please let me know. TIA
Cannot import Identity Pool without roles.
Error: Cannot import Identity Pool without roles.
at IdentityPoolService.getIdentityPoolRoles (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/amplify-provider-awscloudformation/src/aws-utils/IdentityPoolService.ts:88:13)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at importServiceWalkthrough (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/#aws-amplify/amplify-category-auth/src/provider-utils/awscloudformation/import/index.ts:322:74)
at Object.importResource (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/#aws-amplify/amplify-category-auth/src/provider-utils/awscloudformation/import/index.ts:45:42)
at Object.executeAmplifyCommand (/usr/local/lib/node_modules/#aws-amplify/cli/node_modules/#aws-amplify/amplify-category-auth/src/index.js:421:3)
at executePluginModuleCommand (/usr/local/lib/node_modules/#aws-amplify/cli/src/execution-manager.ts:178:3)
at executeCommand (/usr/local/lib/node_modules/#aws-amplify/cli/src/execution-manager.ts:30:5)
at Object.run (/usr/local/lib/node_modules/#aws-amplify/cli/src/index.ts:205:5)
Ran into this issue as well.
The Amplify Auth import docs mention the following:
Your Identity Pool needs:
an Authenticated Role with a trust relationship to your Identity Pool
an optional Unauthenticated Role if you want to use any guest user access for your Amplify categories. (Example: Guest access for your S3 buckets or REST API endpoints)
However, I:
Using an identity pool with an "authenticated" role with proper trust relationship intact (role, policy, identity pool role attachment).
Made sure the IAM role I was using to deploy this change had proper permissions to list and read identity pools & roles.
Still no help.
I then enabled "Allow unauthenticated identities" (although I did not want this) and things worked smoothly. This is because this setting will automatically generate two authenticated and unauthenticated roles and attach them for you.
However, as I did not want unauthenticated identity access, I disabled that again. Based off that setting working, I wondered if that Unauthenticated Role was truly optional, well it turns out it's not. At least not in the latest Amplify system. Someone must have changed this behaviour without updating the docs.
Solution:
Your Identity Pool needs:
an Authenticated Role with a trust relationship to your Identity Pool
an Unauthenticated Role with a trust relationship to your Identity Pool
To check if your identity pool is set up properly run this function in the AWS CLI:
aws cognito-identity get-identity-pool-roles --identity-pool-id "your identity pool id here"
You should get something like this:
{
"IdentityPoolId": "your identity pool id here",
"Roles": {
"authenticated": "your authenticated role ARN here"
"unauthenticated": "your authenticated role ARN here"
}
}
I am trying to get a session token for the given IAM in postman but not able to receive a token.
If I use boto3.client('sts'), I am able to get the token.
Use Case: I am trying to Invoke VPC Rest Endpoint from EC2 instance where ServiceNow mid-server instance is running. Since we have ServiceNow mid-server agent running on EC2 instance, I want to use IAM Role attached to EC2 to authenticate other VPC endpoints that are deployed in the same AWS account.
I have permission policy attached to IAM Role to allow Assume Role policy. If there any other approach, please suggest.
here HTML HTML response in postman. Postman redirecting to IAM Docs
client = boto3.client('sts')
response = client.assume_role(
RoleArn='arn:aws:iam::**************:role/ServiceNow-midserver-Role',
RoleSessionName='Session1',
DurationSeconds=3600
)
print(response)
anything wrong with postman request body or endpoint.
Authentication on postman is none.
To call AssumeRole from Postman (or curl etc.) as opposed to using a supported AWS SDK, you should follow the AssumeRole API documentation. You will also need to authenticate using AWS credentials.
Specifically, the request is an HTTP GET and parameters are passed as query strings, for example:
GET https://sts.amazonaws.com/
?Version=2011-06-15
&Action=AssumeRole
&RoleSessionName=stackoverflow-64706420
&RoleArn=arn:aws:iam::123456781234:role/myrole
&DurationSeconds=3600
Here's what this looks like in Postman:
And you will need to add AWS credentials so that your API request is signed correctly, for example:
Click 'Send' and the response will look something like this:
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
<AssumedRoleUser>
<Arn>arn:aws:sts::123456781234:assumed-role/123456781234/stackoverflow-64706420</Arn>
<AssumedRoleId>ARO123EXAMPLE123:stackoverflow-64706420</AssumedRoleId>
</AssumedRoleUser>
<Credentials>
<AccessKeyId>ASIAIOSFODNN7EXAMPLE</AccessKeyId>
<SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
<SessionToken>
AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
</SessionToken>
<Expiration>2020-12-09T13:34:41Z</Expiration>
</Credentials>
<PackedPolicySize>6</PackedPolicySize>
</AssumeRoleResult>
<ResponseMetadata>
<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>
You need to use credentials for an IAM user or an IAM role to call AssumeRole. boto3 must be getting credentials from the standard locations it look for (like ~/.aws/config) [ref:https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html]. May be you could try providing the AWS creds in Authorization tab in Postman selecting type as AWS Signature and then call assumeRole.
I'm testing with AWS's Cognito. At this point, I can get back my IdToken, AccessToken, and RefreshToken like this:
$ aws cognito-idp admin-initiate-auth --user-pool-id us-east-1_XXXXXXXX --client-id XXXXXXXXXXXXXXXXXXXXXXX --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=XXXXXXXXXXXXX,PASSWORD=XXXXXXXXXXXXX --region us-east-1
Then I tried the default web page (provided by Cognito) at a URL like this:
https://test-cognito.auth.us-east-1.amazoncognito.com/login?response_type=token&client_id=XXXXXXXXXXXXXXXXXXXXXX&redirect_uri=https://example.com
This URL will take me to a page where I have to authenticate and once the process is done it will take me back to my redirect_url with previously mentioned IDs appended:
https://example.com#id_token=XXXXX.XXXXXX.XXXXXX&access_token=XXXXXX.XXXXXXX.XXXXXXX&expires_in=3600&token_type=Bearer
But there's no sign of refresh_token! How can I get my refresh_token in this scenario?
I don't think that is possible at present. AWS clearly states that refresh token is only available if the flow type is Authorization Code Grant.
What you are trying is Implicit Grant. The responseType is set to token in your case. For Authorization Code Grant, set the grant type to code but that will also need you to store the client secret in the app.
Source- https://developer.amazon.com/docs/login-with-amazon/refresh-token.html.
For more info on grant types - https://alexbilbie.com/guide-to-oauth-2-grants/
Documentation for IAM state that the Resource-property for AttachUserPolicy and DetacherUserPolicy should be set to the user principal the managed policy will be attached to. While the documentation for iot:AttachPrincipalPolicy and iot:DetachPrincipalPolicy are not as detailed, the error message
AccessDeniedException: User: arn:aws:sts::ACCOUNT_ID:assumed-role/ROLE/CognitoIdentityCredentials is not authorized to perform: iot:AttachPrincipalPolicy on resource: COGNITO_ID
leads me to believe it expects an ARN for Cognito identity or identity pool. However, specifying ARNs shown in Cognito documentation result in the same error. Cognito identity ARNs also fail validation in the policy generator.
What resource should I specify so that iot:AttachPrincipalPolicy and iot:DetachPrincipalPolicy are permitted to attach/detach IoT policies on a Cognito identity?
Using Cognito identities with AWS IoT has two slightly different paths. Cognito identity pools support identities which are either unauthenticated (any agent can get credentials) or authenticated (users tied to a provider like Cognito User Pools, Facebook, OpenID, etc). AWS IoT supports both cases when using Cognito to get credentials.
When using the unauthenticated case, you must attach a policy to the cognito_unauth_role that gets created with your Cognito identity pool. The Identity Access & Management (IAM) console is where you attach a policy to this role. To get started, try attaching the managed policy "AWSIoTDataAccess". Then, your unauthenticated Cognito IDs can get credentials (access key, secret key, session token) which are passed to AWS IoT to establish a connection.
When using the authenticated case, you must attach a policy to the cognito_auth_role that gets created with your Cognito identity pool AND the Cognito ID which is created for each authenticated entity. The AWS IoT API AttachPrincipalPolicy is what you use to attach an AWS IoT policy to the Cognito ID. The format of that API call in the CLI would be like: aws iot attach-principal-policy --policy-name myPolicy --principal us-east-1:abcd1234-5678-1234-abcd1234efgh. The principal in this case is the Cognito ID of the authenticated entity. Only with both policies in place will the credentials returned by Cognito work to make connections to AWS IoT.