TechQA.

AWS Cognito: Access to Identity is forbidden when calling getOpenIdToken()

8.7k views Asked by At

After successfully obtaining a cognito identity, we then try to get an openIdToken()

AWS.config.credentials.get(function(err) {
    if (!err) {
      var cognitoIdentity = new AWS.CognitoIdentity();
      cognitoIdentity.getOpenIdToken({IdentityId: AWS.config.credentials.identityId}, function(err, data) {
        if (err) console.log(err, err.stack); // an error occurred
        else     console.log(data);           // successful response
      });

    } else {
      console.log('cognito error: ' + err);
    }
  });

However this fails with:

"NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.

Full error trace:

    POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
    aws-sdk.min.js:5 [AWS cognitoidentity 400 0.192s 0 retries] getOpenIdToken({IdentityId: 'us-east-1:xxxxx' })
routing.html:64 Error: Access to Identity 'us-east-1:xxxxx' is forbidden.
    at a (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:3548)
    at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28594)
    at r.SequentialExecutor.r.util.inherit.emit (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28390)
    at a.Request.n.emitEvent (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16483)
    at u.setupStates.e (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12946)
    at r.runTo (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25031)
    at https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:7:25238
    at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:12982)
    at null.<anonymous> (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:16538)
    at r.SequentialExecutor.r.util.inherit.callListeners (https://www.example.com/bower_components/aws-sdk-js/dist/aws-sdk.min.js:6:28607) "NotAuthorizedException: Access to Identity 'us-east-1:xxxxx' is forbidden.
amazon-web-services amazon-cognito
Original Q&A
1

There are 1 answers

4
Rachit Dhall On BEST ANSWER

The two most common reasons for this error are:

  • You haven't setup the roles correctly in the identity pool configuration.
  • You are trying to get token for an authenticated identity without providing the token from the identity provider.

Please check your code for both the scenarios above, if error still persists, please PM me your identityId/identityPoolId and I will be happy to dig deeper.

Thanks,
Rachit

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-COGNITO

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions