I configured a AWS Cognito user pool few months ago & connected it to node.js application, everything was perfect
Now, I want to connect laravel to AWS Cognito, I followed the instructions in this article
I get the following error
Error executing "AdminInitiateAuth" on "https://cognito-idp.eu-west-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.eu-west-1.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}
UnrecognizedClientException (client): The security token included in the request is invalid. - {"__type":"UnrecognizedClientException","message":"The security token included in the request is invalid."}
I'm every sure the credentials is correct, but I get this error.
Is there any missing configuration in the article?
I've had the same 'problem' following the same article. I've fixed it by verifying my credentials in the .env
AWS_COGNITO_KEY=
AWS_COGNITO_SECRET=
These are the Access Keys of the IAM user
https://github.com/black-bits/laravel-cognito-auth#cognito-user-pool
Related
I'm trying to run Vault CSI provider but I'm getting the following error in my app pod:
MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod vault/my-service-9b78df688-8xnql, err: rpc error: code = Unknown desc = error making mount request: failed to login: Error making API request. Namespace: vault URL: POST https://vault.craft-code.com/v1/auth/gcp/login Code: 400. Errors: * unable to get public key for signed JWT: unable to get public key "xxxxx" for JWT subject "system:serviceaccount:vault:service-web-app": googleapi: Error 400: Request contains an invalid argument.
According to the doc, before login to vault google cloud should issue jwt credential to be able to login in vault. I'm ussing terraform but I don't know how to do that. Could something explain it?
Once the service account and key have been created, the private key can be used to generate the JWT token needed to login to Vault.
To configure a Google Cloud service account to issue a JWT token before it can be used to login to Vault, you need to complete the following steps:
Create a service account in the Google Cloud platform.
Download the JSON key file associated with the service account.
Configure the Vault server to use the GCP auth backend and provide
the JSON key file for the service account.
Configure the Google Cloud IAM roles for the service account in order
to grant it access to the Vault server.
Get the JWT token from the service account and use it to authenticate
with Vault.
Refer to this doc also
I have created a sample custom app on AWS SSO and tried to authorize users with SAML.
The workflow is as follows:
User clicks custom app logo on SSO console and starts authentication flow. SAML IDP endpoint in this case is the endpoint which was created during custom application creation. Works ok.
AWS redirects to the defined ACS (Nest.js backend API server on localhost) with SAML Response. This also works ok. Response seems to be valid and includes all attributes etc.
Backend API validates the response and calls STS with AssumeRoleWithSAML command which sends the aforementioned SAML response to STS with role and principal ARNs. IDP endpoint is an accounts identity provider which has been created by AWS SSO. This does not work. It produces the following error:
An error occurred (InvalidIdentityToken) when calling the
AssumeRoleWithSAML operation: Invalid base64 SAMLResponse (Service:
AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException; Request ID:
55120f74-c9e8-4dac-b416-370b771339e5; Proxy: null)
So basically the problem is that AWS do not accept or is not able to process SAML response which was created by AWS.
What I do not understand here? Different issuer IDs or certificates causing the error?
Should I modify the SAML response before sending it back to AWS?
Edit: I made some changes to attribute mappings (see comments to this message) and it helped. However,now I get another type of error message:
InvalidIdentityToken: Issuer not present in specified provider
(Service: AWSOpenIdDiscoveryService; Status Code: 400; Error Code:
AuthSamlInvalidSamlResponseException;
I resolved this problem by creating a new identity provider on AWS IAM console and using the same custom application SSO meta data.
When I enter aws-acess-id and aws-secret-key
I tried different aws keys too
generated from "labs.vocareum.com"
It throws errors: "ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid:"
Error
C:\Users>eb init -p python port-aws
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): ------(enter key from aws account)-------
(aws-secret-key): --------(enter key from aws account)----
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is
invalid.
ReEnter
C:\Users>eb init -p python port-aws
ERROR: The current user does not have the correct permissions. Reason: Operation Denied. The
security token included in the request is invalid.
ERROR: The current user does not have the correct permissions. Reason: Operation Denied. The
security token included in the request is invalid.
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): ------(enter key from aws account)-------
(aws-secret-key): ------(enter key from aws account)-------
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is
invalid.
AWS Educate does seem to allow Beanstalk:
AWS Services Supported with AWS Educate Starter Account
AWS Academy will also use vocareum, so similar limitations may apply.
However, all credentials that you get from vocareum are temporary. It seem to me that they have already expired for you. Thus you may need to refresh them by creating new sandbox environment and getting new keys.
I'm trying to create a project with react native and AWS but after put the credentials with "awsmobile configure" command I got this error below with "awsmobile init".
the security token included in the request is invalid
{ UnrecognizedClientException: The security token included in the request is invalid.at Object.extractError (/usr/local/lib/node_modules/awsmobile-cli/node_modules/aws-sdk/lib/protocol/json.js:48:27) ...
If you haven't already, you may want to try running aws configure outside of a valid awsmobile project. This will ensure that the accessKeyId, secretAccessKey and region you enter are applied to all projects you initiate.
Recently I was trying to upload an app to aws but an error occurred:
ERROR: The current user does not have the correct permissions. Reason: Operation Denied. The security token included in the request is invalid.
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id):
(aws-secret-key):
ERROR: Operation Denied. The security token included in the request is invalid.
I was wondering where to get aws-access-id and aws-secret-key for this step in order to upload the app successfully.
Problem solved.
It turns out that the Access Key ID and Access Key can be found on:
https://console.aws.amazon.com/iam/home#/security_credential