- Newest
- Most votes
- Most comments
Hello.
Isn't it necessary to allow "sts:TagSession" in the trust policy of the IAM role set in the Cognito ID pool, as described in the following document?
https://docs.aws.amazon.com/cognito/latest/developerguide/using-afac-with-cognito-identity-pools.html
Grant permission to assume the role with the action AssumeRoleWithWebIdentity. Grant permission to tag users' sessions with the permission-only action sts:TagSession. For more information, see Passing session tags in AWS Security Token Service in the AWS Identity and Access Management User Guide. For an example trust policy that grants sts:AssumeRoleWithWebIdentity and sts:TagSession permissions to the Amazon Cognito service principal cognito-identity.amazonaws.com, see Using attributes for access control policy example.
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
Hi Riku, thanks for the answer, I actually already have TagSession included, I'd had the error previously without it where it was throwing an invalidIdentityPoolConfigurationException, but that has since been resolved
How are Cognito ID pool attributes and PrincipalTag's Key set? I think you can see it from the Cognito identity pool authentication provider screen.
You might also want to check in CloudTrail in your current region or us-east-1 (depending on which STS endpoint is getting called) what it shows as being included in the API call
AssumeRoleWithWebIdentity
. I'm not sure if the session tags are logged in CloudTrail, but if they are, that should give a good overview of what to expect to be present in the IAM request context keys.In CloudTrail, I think it is recorded in an event called "InitiateAuth". I think the event contains the "sub" attribute as shown below.
According to https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds, also the original
AssumeRoleWithWebIdentity
API call, including its full response, should be included in CloudTrail. An important thing to note is that STS can be called in pretty much any region, and CloudTrail in one region wouldn't show calls made in another region. The global STS endpoint is in us-east-1.