ios - cognito - Access to Identity is forbidden -


i trying understand amazon cognito , trying list contents of s3 folder after login through facebook. face book login works fine. when tap test button (cmdtests3tapped) throws following error.

i included amazonclientmanager.h,amazonclientmanager.m , constants.h project examples amazon provided. constants given belllow. can me resolve issue.

#define awsaccountid @"myaccountid" #define cognitopoolid @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" #define cognitoroleauth @"arn:aws:iam::myaccountid:role/cognito_iostestpoolauth_defaultrole" #define cognitoroleunauth @"arn:aws:iam::myaccountid:role/cognito_iostestpoolauth_defaultrole" 

this role - cognito_iostestpoolauth_defaultrole

{     "version": "2012-10-17",     "statement": [{         "action": [             "mobileanalytics:putevents",             "cognito-sync:*"         ],         "effect": "allow",         "resource": [             "*"         ],         "effect": "allow",         "action": "s3:*",         "resource": "*"     }] } 

here trust relationship

{   "version": "2012-10-17",   "statement": [     {       "sid": "",       "effect": "allow",       "principal": {         "federated": "cognito-identity.amazonaws.com"       },       "action": "sts:assumerolewithwebidentity",       "condition": {         "stringequals": {           "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"         },         "foranyvalue:stringlike": {           "cognito-identity.amazonaws.com:amr": "unauthenticated"         }       }     }   ] } 

here code using

- (ibaction)cmdloginwithfb:(id)sender {     [[uiapplication sharedapplication] setnetworkactivityindicatorvisible:yes];     [self disableui];     [[amazonclientmanager sharedinstance] loginfromview:self.view withcompletionhandler:^(nserror *error) {         dispatch_async(dispatch_get_main_queue(), ^{             [self refreshui];         });     }]; }  -(void)refreshui {     [[uiapplication sharedapplication] setnetworkactivityindicatorvisible:no];     //self.browsedatabutton.enabled = yes;     self.cmdloginwithfb.enabled = yes;     if ([[amazonclientmanager sharedinstance] isloggedin]) {         self.cmdloginwithfb.titlelabel.text = @"link";         nslog(@"-----------loged in -------------->");     }     else {         self.cmdloginwithfb.titlelabel.text = @"login";         nslog(@"-----------not loged in -------------->");     }     self.cmdlogoutwipe.enabled = [[amazonclientmanager sharedinstance] isloggedin]; }   - (ibaction)cmdtests3tapped:(id)sender {     if ([[amazonclientmanager sharedinstance] isloggedin]) {         nslog(@"-----------loged in -------------->");         [self testlistbucket];     }     else {         nslog(@"-----------not loged in -------------->");     } }   - (void)testlistbucket {     awss3getobjectrequest *getobjectrequest = [[awss3getobjectrequest alloc] init];     getobjectrequest.key = @"image1.jpg";     getobjectrequest.bucket = @"multix-test";      nslog(@"============================================>");      //default service has been configured     //awss3 *s3 = [[awss3 new] initwithconfiguration:[awsservicemanager defaultservicemanager].defaultserviceconfiguration];       awss3 *s3 = [awss3 defaults3];       [[s3 getobject:getobjectrequest] continuewithblock:^id(bftask *task) {         if(task.error)         {             nslog(@"error: %@",task.error);         }         else         {             nslog(@"got file");             nsdata *data = [task.result body];             nsstring *urlstring = [[nsstring alloc] initwithdata:data encoding:nsutf8stringencoding];             nsurl *url = [[nsurl alloc] initwithstring:urlstring];             if ([[uiapplication sharedapplication] canopenurl:url]) {                 [[uiapplication sharedapplication] openurl:url];             }         }         return nil;     }];     nslog(@"============================================>"); } 

error

2014-11-26 20:58:24.048 fblogintest[2647:83767] initializing clients... 2014-11-26 20:58:24.055 fblogintest[2647:83767] -----------loged in --------------> 2014-11-26 20:58:33.542 fblogintest[2647:83767] -----------loged in --------------> 2014-11-26 20:58:33.542 fblogintest[2647:83767] ============================================> 2014-11-26 20:58:33.551 fblogintest[2647:83767] ============================================> 2014-11-26 20:58:33.554 fblogintest[2647:88515] awsiossdkv2 [verbose] awsurlrequestserialization.m line:110 | -[awsjsonrequestserializer serializerequest:headers:parameters:] | request body: [{"identityid":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}] 2014-11-26 20:58:34.870 fblogintest[2647:88605] awsiossdkv2 [debug] awsurlresponseserialization.m line:85 | -[awsjsonresponseserializer responseobjectforresponse:originalrequest:currentrequest:data:error:] | response header: [{     "content-length" = 129;     "content-type" = "application/x-amz-json-1.1";     date = "wed, 26 nov 2014 16:58:34 gmt";     nncoection = close;     "x-amzn-requestid" = "7558584c-758d-11e4-a92d-11020f90ea0e"; }] 2014-11-26 20:58:34.871 fblogintest[2647:88605] awsiossdkv2 [verbose] awsurlresponseserialization.m line:90 | -[awsjsonresponseserializer responseobjectforresponse:originalrequest:currentrequest:data:error:] | response body: [{"__type":"notauthorizedexception","message":"access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden."}] 2014-11-26 20:58:34.873 fblogintest[2647:88605] awsiossdkv2 [error] awsidentityprovider.m line:212 | __42-[awsbasiccognitoidentityprovider refresh]_block_invoke_2 | getopenidtoken failed. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "the operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)" userinfo=0x7fd042491650 {__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden.}] 2014-11-26 20:58:34.873 fblogintest[2647:88605] awsiossdkv2 [error] awscredentialsprovider.m line:433 | __40-[awscognitocredentialsprovider refresh]_block_invoke293 | unable refresh. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "the operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)" userinfo=0x7fd042491650 {__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden.}] 2014-11-26 20:58:34.873 fblogintest[2647:88605] error: error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "the operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)" userinfo=0x7fd042491650 {__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden.} 

i think trust relationship incorrect. should be

 "foranyvalue:stringlike": {           "cognito-identity.amazonaws.com:amr": "authenticated"         } 

because users authenticated facebook. trust relationship gave unauthenticated users.

see bob's 3 parts blog more details cognito, roles , trust relationship

part 1 : http://mobile.awsblog.com/post/tx2uqn4kwi6gdjl/understanding-amazon-cognito-authentication

part 2 : http://mobile.awsblog.com/post/tx2fl1qapde0uah/understanding-amazon-cognito-authentication-part-2-developer-authenticated-ident

part 3 : http://mobile.awsblog.com/post/tx1osmbrhzvm9v0/understanding-amazon-cognito-authentication-part-3-roles-and-policies


Comments

Popular posts from this blog

matlab - "Contour not rendered for non-finite ZData" -

delphi - Indy UDP Read Contents of Adata -

javascript - Any ideas when Firefox is likely to implement lengthAdjust and textLength? -