CognitoIdentityCredentials is not including the logins set when getting credentials, making all requests unauthenticated #2941

ja6lee · 2023-11-09T18:07:43Z

Describe the bug

When using CognitoIdentityCredentials, the logins passed in in the initializer are not used when getting credentials from AWS, so the request appears as unauthenticated. Unless I am misunderstanding what this class does, it should be including those logins with the requests to get credentials.

If instead you do almost exactly what CognitoIdentityCredentials is doing except including logins:

 identity_id = @client.get_id(identity_pool_id: <IDENTITY_POOL_ID>).identity_id
 credentials = @client.get_credentials_for_identity(
   identity_id: identity_id,
     logins: {
       "accounts.google.com" => <id_token_from_google>
     }
 )

It successfully fetches credentials.

Expected Behavior

The logins passed in are included with the call to get_credentials_for_identity.

Current Behavior

The logins are not passed in when calling get_credentials_for_identity so you receive the following error:

Unauthenticated access is not supported for this identity pool.

Reproduction Steps

Steps to reproduce:

Setup an identity pool on AWS that only accepts 3rd party logins (eg. Google). No guest access.
Create a CognitoIdentityCredentials provider and include logins. Eg:

    Aws::CognitoIdentity::CognitoIdentityCredentials.new(
      identity_pool_id: <IDENTITY_POOL_ID>,
      logins: {
        "accounts.google.com" => <id_token_from_google>
      }
    )

Receive an error from AWS: Unauthenticated access is not supported for this identity pool.

Possible Solution

Add logins to the refresh function here:
https://github.com/aws/aws-sdk-ruby/blob/903cfb08e01e439c8d115ad8f6428a7539f7b142/gems/aws-sdk-cognitoidentity/lib/aws-sdk-cognitoidentity/customizations/cognito_identity_credentials.rb#L122C20-L122C20

eg.

resp = @client.get_credentials_for_identity(
  identity_id: identity_id,
  custom_role_arn: @custom_role_arn,
  logins: @logins
)

Additional Information/Context

No response

Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version

aws-sdk-cognitoidentity (1.49.0)

Environment details (Version of Ruby, OS environment)

Ruby 3.2.2, OS: Mac OSX

The text was updated successfully, but these errors were encountered:

jterapin · 2023-11-09T19:33:49Z

Thank you for reaching out to us! I will be taking a look.

jterapin · 2023-11-09T23:29:13Z

This is in our internal queue and we will release a fix.

mullermp · 2023-11-17T20:47:10Z

This was fixed in #2944

github-actions · 2023-11-17T20:47:27Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mullermp · 2023-11-17T20:48:02Z

1.49.1 (2023-11-15)

ja6lee added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 9, 2023

jterapin added investigating Issue is being investigated and removed needs-triage This issue or PR still needs to be triaged. labels Nov 9, 2023

jterapin self-assigned this Nov 9, 2023

jterapin mentioned this issue Nov 10, 2023

Fix CognitoIdentityCredentials #2944

Merged

jterapin removed the investigating Issue is being investigated label Nov 10, 2023

mullermp closed this as completed Nov 17, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CognitoIdentityCredentials is not including the logins set when getting credentials, making all requests unauthenticated #2941

CognitoIdentityCredentials is not including the logins set when getting credentials, making all requests unauthenticated #2941

ja6lee commented Nov 9, 2023

jterapin commented Nov 9, 2023

jterapin commented Nov 9, 2023

mullermp commented Nov 17, 2023

github-actions bot commented Nov 17, 2023

mullermp commented Nov 17, 2023