AWS Transcribe returning AccessDeniedException

[waynemock]

I am working on a macOS app that will use the AWS Transcribe service. I've ported the AWS iOS SDK over to macOS. Things like MobileHub, Cognito, and S3 work fine from my macOS App. For example, I'm able to write/read files to/from S3 without issue.

Currently, the iOS SDK does not have AWS Transcribe support. I'm in the process of adding it to the SDK. I've run into an issue with the role I'm using. All 3 Transcribe actions return "AccessDeniedException" with the message "User: arn:aws:sts::xxxxxxxxxxxxx:assumed-role/xxxxxxxxxx/CognitoIdentityCredentials is not authorized to perform: transcribe:". is either ListTranscriptionJobs, StartTranscriptionJob, or GetTranscriptionJob.

I can use this same role both with the AWS CLI and the AWS Transcribe console without any issues. All the Transcribe commands work. Given that, I believe that I have the role setup properly in IAM.

So, here's my question. Is the AWS Transcribe service somehow aware there is no support for AWS Transcribe in the iOS SDK and is blocking the request? I'm at a dead end here and either need help from the iOS SDK team or the Transcribe team (which I'm reaching out to as well).

Let me know if you need more details.

To help us solve your problem better, please answer the following list of questions.

• What service are you using?

Cognito, S3, Transcribe (which I'm developing)

• In what version of SDK are you facing the problem?

2.6.12

• Is the issue limited to Simulators / Actual Devices?

Both

• Can your problem be resolved if you bump to a higher version of SDK?

No

• Is this problem related to specific iOS version?

No

• How are you consuming the SDK? CocoaPods / Carthage / Prebuilt frameworks?

Prebuilt frameworks

• Can you give us steps to reproduce with a minimal, complete, and verifiable example? Please include any specific network conditions that might be required to reproduce the problem.

I have the code in a branch of my fork: https://github.com/waynemock/aws-sdk-ios/tree/aws-transcribe

I'm using the AWSmacOSSDKBuilder target in the AWSmacOSSDKv2 project is used for testing at the moment.

[minbi]

Can you paste the role that you are attempting to use here?

[waynemock]

Here you go: [removed]

[minbi]

Thanks, I am contacting the team to see if the policy is correct for access. I assume you have already been accepted into the preview.

[waynemock]

Thx. I do have preview access. This role does work when I assume it with the AWS CLI or the Transcribe console.

[waynemock]

To clarify the AWS CLI transcribe commands work with the role.

[minbi]

The AWS Transcribe team is available to help at: aws-transcribe-preview-feedback@amazon.com

[behrooziAWS]

Hi @waynemock Cognito applies a scope down policy to unauthenticated roles which restricts what services you can access. This prevents you from accidentally allowing your unauthenticated users access to spin up EC2 instances for example. Transcribe isn't currently part of the whitelist, but may be added in the future. If you need a workaround can you try creating your credentials provider using this constructor: https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/initWithRegionType:unauthRoleArn:authRoleArn:identityProvider: so it uses the basic flow with STS https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html this will bypass the scopedown policy Cognito imposes. You can leave authRoleArn and identityProvider set to nil if you don't use them.

[waynemock]

Thx for the reply. I thought it was something like that. I’ll give your suggestion a try and report back.

[waynemock]

OK! That worked. Thx for the help. I eventually will be using authenticated users, but want something "easy" to get started.