I understand from this blog that exchanging OpenID tokens for AWS Credentials is supposed to be done by the Client/End-User Device.
But as a POC/Demo, I am trying to generate temporary AWS Creds completely Backend side.
As such I have the following Identity Pool and Role in my Cloudformation template:
Resources:
KvsIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
AllowUnauthenticatedIdentities: False
IdentityPoolName: KVS_ID_POOL_POC
KvsIdentityPoolAuthenticatedRole:
Type: AWS::IAM::Role
Properties:
RoleName: esp-KvsIdentityPoolAuthenticatedRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action:
- sts:AssumeRoleWithWebIdentity
- sts:TagSession
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud: !Ref KvsIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr: !Ref DevProviderName
Policies:
- PolicyName: IdentityPoolAuthenticatedRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- cognito-identity:GetCredentialsForIdentity
Resource: "*"
- Effect: Allow
Action:
- "kinesisvideo:Describe*"
- "kinesisvideo:Get*"
- "kinesisvideo:List*"
Resource: "*"
I get the OpenID token and IdentityId on running:
aws cognito-identity get-open-id-token-for-developer-identity --identity-pool-id 'IdentityPoolId' --logins '{"DevProviderName":"<Some User's Cognito UserID>"}'
But when I try to exchange that using
aws cognito-identity get-credentials-for-identity --identity-id "<Freshly Generated Identity ID>"
I get:
An error occurred (NotAuthorizedException) when calling the GetCredentialsForIdentity operation: Access to Identity '<Freshly Generated Identity ID>' is forbidden.