无效的快捷键使用错误的凭据从亚马逊开放ID令牌兑换 [英] Invalid access key error using credentials redeemed from an amazon open id token

问题描述

我收到使用从亚马逊开放ID令牌赎回，从cognito凭证无效的快捷键错误

下面是我在做什么。

1. 获取开发商确认打开ID标记

   cognito.getOpenIdTokenForDeveloperIdentity（PARAMS，功能（ERR，数据）{

   openIdToken = data.credentials }）;

2. 兑换开放ID令牌安全凭证，我把params为congnito验证作用，并设置任意角色会话名称。我用的令牌从步骤1。有我的第1步设置标识号的地方。

    它（'应该能够交换临时开放ID令牌身份验证凭据'，函数（完成）{
   
       变种STS =新AWS.STS（）;
       VAR PARAMS = {
           RoleArn：roleArn，
           RoleSessionName：照片上传会话，
           WebIdentityToken：openIdToken.Token
       };
       sts.assumeRoleWithWebIdentity（PARAMS，功能（ERR，数据）{
           should.not.exist（ERR）;
   
           should.exist（data.Credentials.AccessKeyId）;
           should.exist（data.Credentials.SecretAccessKey）;
           should.exist（data.Credentials.SessionToken）;
           凭据= data.Credentials;
   
           完成（）;
       }）;
   
   
   }）;
    

3. 我更新当前的凭据

   AWS.config.update（{accessKeyId：credentials.AccessKeyId，secretAccessKey：credentials.SecretAccessKey}）;

4. 我上传文件到S3，并获得 [InvalidAccessKeyId：你提供我们的记录中不存在的AWS访问密钥ID] 错误

*使用鲍勃金尼的意见，我尝试了两种方法的编辑 ​​- 设置sessionToken（它的工作），并使用这些都给类型错误不是一个缓冲区错误的Congito凭据。该CognitoIdentityCredentials例子如下。

  AWS.config.credentials =新AWS.CognitoIdentityCredentials（{
       IdentityPoolId：config.get（'aws_identity_pool_id'），
       登录：{
         cognito-identity.amazonaws.com：openIdToken.Token
       }
    }）;

    VAR体= fs.createReadStream（__目录名称+/test_photo.jpg'）;

    VAR s3obj =新AWS.S3（{params：一个{斗：测试上传，重点：'测试'}}）;

    s3obj.upload（{车身：车身}）。
        在（'httpUploadProgress'，函数（EVT）{执行console.log（EVT）;}）。
        发送（功能（ERR，数据）{
            should.not.exist（ERR）;
            完成（）;

        }）;
 

**更新

于是搬回到java客户端错误，我们使用的是OpenID的令牌（这是测试将与sts.assumeRoleWithWebIdentity正常工作），并传递令牌到AWSAbstractCognitoIdentityProvider（code从这个环节采取延期的http://docs.aws.amazon.com/cognito/devguide/identity/developer-authenticated-identities/) - 然后使用该标识上传到S3得到的错误

  CustomAwsIdentityProvider提供商= CustomAwsIdentityProvider.newInstance（这一点，BuildConfig.AWS_COGNITO_POOL_ID，Regions.US_EAST_1）;

CognitoCachingCredentialsProvider credentialsProvider =新CognitoCachingCredentialsProvider（这一点，供应商，Regions.US_EAST_1）;

TransferManager TM =新TransferManager（credentialsProvider）;
tm.upload（我的上传，uuid.toString（），文件）;
 

解决方案

很抱歉的问题。它使用的是JavaScript的SDK出现。当使用这个流程，你可以使用标准的 AWS.CognitoIdentityCredentials 目标中提到的<一个href="http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/browser-configuring.html#Configuring_AWS_CognitoIdentityCredentials"相对=nofollow>开发人员指南使用 cognito-identity.amazonaws.com 和值作为OpenID的连接令牌的<$ C返回$ C> getOpenIdTokenForDeveloperIdentity 电话。

原因您所看到的错误是，你是不是从STS的结果，包括sessionToken。使用 AWS.CognitoIdentityCredentials 目标应该可以解决这个给你。

从工作有一个在SDK中的小问题，那将很不幸prevent AWS.CognitoIdentityCredentials ：

更新2015年7月21日因为我描述它。我们正在努力缓解这一问题。

更新2015年7月24日：：您应该可以使用以下方法来使用 AWS.CognitoIdentityCredentials 您的开发人员认证identiity：

  AWS.config.credentials =新AWS.CognitoIdentityCredentials（{
  IdentityPoolId：MY_IDENTITY_POOL，
  IdentityId：data.IdentityId，
  登录：{
    cognito-identity.amazonaws.com：data.Token
  }
}）;
 

在有数据的距离 GetOpenIdTokenForDeveloperIdentity 的响应。

I'm getting Invalid access key error using credentials redeemed from an amazon open id token from cognito

Here's what I'm doing

1. Get developer authenticated open id token

   cognito.getOpenIdTokenForDeveloperIdentity(params, function (err, data) {

   openIdToken = data.credentials });

2. Redeem open id token for security credentials, I set the params to the congnito Auth role and set an arbitrary role session name. I use the token from step 1. There is no place where I set the identity id from step 1.

   it('should be able to exchange temporary open id token for auth credentials', function (done) {
   
       var sts = new AWS.STS();
       var params = {
           RoleArn: roleArn,
           RoleSessionName: 'photo-upload-session',
           WebIdentityToken: openIdToken.Token
       };
       sts.assumeRoleWithWebIdentity(params, function(err, data) {
           should.not.exist(err);
   
           should.exist(data.Credentials.AccessKeyId);
           should.exist(data.Credentials.SecretAccessKey);
           should.exist(data.Credentials.SessionToken);
           credentials = data.Credentials;
   
           done();
       });
   
   
   });
   

3. I update the current credentials

   AWS.config.update({accessKeyId : credentials.AccessKeyId, secretAccessKey:credentials.SecretAccessKey});

4. I upload a file to s3 and get the [InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.] error

*edit using Bob Kinney's advice I tried two methods - setting the sessionToken (which worked) and using the Congito credentials which gave a TypeError not a buffer error. The CognitoIdentityCredentials example is below.

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
       IdentityPoolId:config.get('aws_identity_pool_id'),
       Logins: {
         'cognito-identity.amazonaws.com': openIdToken.Token
       }
    });

    var body = fs.createReadStream(__dirname + '/test_photo.jpg');

    var s3obj = new AWS.S3({params: {Bucket: 'test-uploads', Key: 'test'}});

    s3obj.upload({Body: body}).
        on('httpUploadProgress', function(evt) { console.log(evt); }).
        send(function(err, data) {
            should.not.exist(err);
            done();

        });

** update

So moving back to the java client error, we are using the openid token (which was tested to be working correctly with the sts.assumeRoleWithWebIdentity) and passing that token into an extension of AWSAbstractCognitoIdentityProvider (code taken from this link http://docs.aws.amazon.com/cognito/devguide/identity/developer-authenticated-identities/) - then using that identity to upload to s3 getting the error

CustomAwsIdentityProvider provider = CustomAwsIdentityProvider.newInstance(this, BuildConfig.AWS_COGNITO_POOL_ID, Regions.US_EAST_1);

CognitoCachingCredentialsProvider credentialsProvider = new CognitoCachingCredentialsProvider(this, provider, Regions.US_EAST_1);

TransferManager tm = new TransferManager(credentialsProvider);
tm.upload("my-upload", uuid.toString(), file);

解决方案

Sorry for the issues. It appears you are using the JavaScript SDK. When using this flow you can use the standard AWS.CognitoIdentityCredentials object as mentioned in the developer guide using the key of cognito-identity.amazonaws.com and the value as the OpenId Connect token returned from the getOpenIdTokenForDeveloperIdentity call.

The reason for the error you are seeing is that you are not including the sessionToken from the STS result. Using the AWS.CognitoIdentityCredentials object should resolve this for you.

Update 2015-07-21: There is a small issue in the SDK that will unfortunately prevent AWS.CognitoIdentityCredentials from working as I described it. We are working on mitigating this issue.

Update 2015-07-24: You should be able to use the following to use the AWS.CognitoIdentityCredentials with your developer authenticated identiity:

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: 'MY_IDENTITY_POOL',
  IdentityId: data.IdentityId,
  Logins: {
    'cognito-identity.amazonaws.com': data.Token
  }
});

Where data is the response from GetOpenIdTokenForDeveloperIdentity.

这篇关于无效的快捷键使用错误的凭据从亚马逊开放ID令牌兑换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！