ios - cognito - Access to Identity is forbidden -
i trying understand amazon cognito , trying list contents of s3 folder after login through facebook. face book login works fine. when tap test button (cmdtests3tapped) throws following error.
i included amazonclientmanager.h,amazonclientmanager.m , constants.h project examples amazon provided. constants given belllow. can me resolve issue.
#define awsaccountid @"myaccountid" #define cognitopoolid @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" #define cognitoroleauth @"arn:aws:iam::myaccountid:role/cognito_iostestpoolauth_defaultrole" #define cognitoroleunauth @"arn:aws:iam::myaccountid:role/cognito_iostestpoolauth_defaultrole"
this role - cognito_iostestpoolauth_defaultrole
{ "version": "2012-10-17", "statement": [{ "action": [ "mobileanalytics:putevents", "cognito-sync:*" ], "effect": "allow", "resource": [ "*" ], "effect": "allow", "action": "s3:*", "resource": "*" }] }
here trust relationship
{ "version": "2012-10-17", "statement": [ { "sid": "", "effect": "allow", "principal": { "federated": "cognito-identity.amazonaws.com" }, "action": "sts:assumerolewithwebidentity", "condition": { "stringequals": { "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" }, "foranyvalue:stringlike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] }
here code using
- (ibaction)cmdloginwithfb:(id)sender { [[uiapplication sharedapplication] setnetworkactivityindicatorvisible:yes]; [self disableui]; [[amazonclientmanager sharedinstance] loginfromview:self.view withcompletionhandler:^(nserror *error) { dispatch_async(dispatch_get_main_queue(), ^{ [self refreshui]; }); }]; } -(void)refreshui { [[uiapplication sharedapplication] setnetworkactivityindicatorvisible:no]; //self.browsedatabutton.enabled = yes; self.cmdloginwithfb.enabled = yes; if ([[amazonclientmanager sharedinstance] isloggedin]) { self.cmdloginwithfb.titlelabel.text = @"link"; nslog(@"-----------loged in -------------->"); } else { self.cmdloginwithfb.titlelabel.text = @"login"; nslog(@"-----------not loged in -------------->"); } self.cmdlogoutwipe.enabled = [[amazonclientmanager sharedinstance] isloggedin]; } - (ibaction)cmdtests3tapped:(id)sender { if ([[amazonclientmanager sharedinstance] isloggedin]) { nslog(@"-----------loged in -------------->"); [self testlistbucket]; } else { nslog(@"-----------not loged in -------------->"); } } - (void)testlistbucket { awss3getobjectrequest *getobjectrequest = [[awss3getobjectrequest alloc] init]; getobjectrequest.key = @"image1.jpg"; getobjectrequest.bucket = @"multix-test"; nslog(@"============================================>"); //default service has been configured //awss3 *s3 = [[awss3 new] initwithconfiguration:[awsservicemanager defaultservicemanager].defaultserviceconfiguration]; awss3 *s3 = [awss3 defaults3]; [[s3 getobject:getobjectrequest] continuewithblock:^id(bftask *task) { if(task.error) { nslog(@"error: %@",task.error); } else { nslog(@"got file"); nsdata *data = [task.result body]; nsstring *urlstring = [[nsstring alloc] initwithdata:data encoding:nsutf8stringencoding]; nsurl *url = [[nsurl alloc] initwithstring:urlstring]; if ([[uiapplication sharedapplication] canopenurl:url]) { [[uiapplication sharedapplication] openurl:url]; } } return nil; }]; nslog(@"============================================>"); }
error
2014-11-26 20:58:24.048 fblogintest[2647:83767] initializing clients... 2014-11-26 20:58:24.055 fblogintest[2647:83767] -----------loged in --------------> 2014-11-26 20:58:33.542 fblogintest[2647:83767] -----------loged in --------------> 2014-11-26 20:58:33.542 fblogintest[2647:83767] ============================================> 2014-11-26 20:58:33.551 fblogintest[2647:83767] ============================================> 2014-11-26 20:58:33.554 fblogintest[2647:88515] awsiossdkv2 [verbose] awsurlrequestserialization.m line:110 | -[awsjsonrequestserializer serializerequest:headers:parameters:] | request body: [{"identityid":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}] 2014-11-26 20:58:34.870 fblogintest[2647:88605] awsiossdkv2 [debug] awsurlresponseserialization.m line:85 | -[awsjsonresponseserializer responseobjectforresponse:originalrequest:currentrequest:data:error:] | response header: [{ "content-length" = 129; "content-type" = "application/x-amz-json-1.1"; date = "wed, 26 nov 2014 16:58:34 gmt"; nncoection = close; "x-amzn-requestid" = "7558584c-758d-11e4-a92d-11020f90ea0e"; }] 2014-11-26 20:58:34.871 fblogintest[2647:88605] awsiossdkv2 [verbose] awsurlresponseserialization.m line:90 | -[awsjsonresponseserializer responseobjectforresponse:originalrequest:currentrequest:data:error:] | response body: [{"__type":"notauthorizedexception","message":"access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden."}] 2014-11-26 20:58:34.873 fblogintest[2647:88605] awsiossdkv2 [error] awsidentityprovider.m line:212 | __42-[awsbasiccognitoidentityprovider refresh]_block_invoke_2 | getopenidtoken failed. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "the operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)" userinfo=0x7fd042491650 {__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden.}] 2014-11-26 20:58:34.873 fblogintest[2647:88605] awsiossdkv2 [error] awscredentialsprovider.m line:433 | __40-[awscognitocredentialsprovider refresh]_block_invoke293 | unable refresh. error [error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "the operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)" userinfo=0x7fd042491650 {__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden.}] 2014-11-26 20:58:34.873 fblogintest[2647:88605] error: error domain=com.amazonaws.awscognitoidentityerrordomain code=8 "the operation couldn’t completed. (com.amazonaws.awscognitoidentityerrordomain error 8.)" userinfo=0x7fd042491650 {__type=notauthorizedexception, message=access identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' forbidden.}
i think trust relationship incorrect. should be
"foranyvalue:stringlike": { "cognito-identity.amazonaws.com:amr": "authenticated" }
because users authenticated facebook. trust relationship gave unauthenticated users.
see bob's 3 parts blog more details cognito, roles , trust relationship
part 1 : http://mobile.awsblog.com/post/tx2uqn4kwi6gdjl/understanding-amazon-cognito-authentication
Comments
Post a Comment