search

awslabs / amazon-kinesis-video-streams-webrtc-sdk-ios

iOS SDK for interfacing with the Amazon Kinesis Video Streams Signaling Service.
Apache License 2.0
66 stars 29 forks source link

Acces denied with a Cognito guest user #8

Closed DustinBel closed 4 years ago

DustinBel commented 4 years ago

I try to make this work with a Cognito guest user (I have enabled this in the identity pool and added kinesis to the IAM roles). I use the following code to 'log in'.

let credentialsProvider = AWSCognitoCredentialsProvider(regionType:.USEast1,
           identityPoolId:"my-pool-id")
let configuration = AWSServiceConfiguration(region:.USEast1, credentialsProvider:credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = configuration
AWSKinesisVideo.register(with: configuration!, forKey: awsKinesisVideoKey)

But when I try to run the following function it gives me the accesdeniedexception:

func createChannel(channelName: String) {
        let kvsClient = AWSKinesisVideo.default();
        let createSigalingChannelInput = AWSKinesisVideoCreateSignalingChannelInput.init()
        createSigalingChannelInput?.channelName = channelName
        kvsClient.createSignalingChannel(createSigalingChannelInput!).continueWith(block: { (task) -> Void in
            if let error = task.error {
                print("Error creating channel \(error)")
                return
            } else {
                self.channelARN = task.result?.channelARN
                print("Channel ARN : ", task.result?.channelARN)
            }
        }).waitUntilFinished()
        if (self.channelARN == nil) {
            let alertController = UIAlertController(title: "Unable to create channel",
                                                    message: "Please validate all the input fields",
                                                    preferredStyle: .alert)
            let okAction = UIAlertAction(title: "Ok", style: .default, handler: nil)
            alertController.addAction(okAction)

            self.present(alertController, animated: true, completion: nil)
            return
        }
    }

What is wrong here? Or how can I make it work?

zhiyua-git commented 4 years ago

Hi @DustinnBel ,

Can you provide your IAM policy here and by cognito guest are you talking about in authenticated role in cognito pool? Can you double check if you have linked the policy with that role? Thanks.

DustinBel commented 4 years ago

@zhiyua-git Here is my Cognito Identity pool what allows unauthenticated users (so the unauth role is part of that right?). I gave the unauth role acces to kinesis in the iam overview.

Screenshot 2020-05-04 at 16 19 59 Screenshot 2020-05-04 at 16 20 41

zhiyua-git commented 4 years ago

Hi @DustinnBel ,

I have some test locally and got two findings that might help you:

  1. Make sure "Enable access to unauthenticated identities" is checked under "Unauthenticated identities" in Identity Pool setting.
  2. Try editing the Trust Relationship for your unauth role in IAM to and retry 
    {
"Version": "2012-10-17",
"Statement": [
{
  "Sid": "",
  "Effect": "Allow",
  "Principal": {
    "Federated": "cognito-identity.amazonaws.com"
  },
  "Action": "sts:AssumeRoleWithWebIdentity"
}
]
}

    These settings help me get through the AccessDeniedException.

If these changes didn't help or for more details on Cognito settings, you can check out https://docs.aws.amazon.com/cognito/ or contact Cognito team for it. Thanks.

DustinBel commented 4 years ago

@zhiyua-git Can you provide me some code about how you initialize the Cognito unauthenticated user? Because it doesn't seem to work with your provided settings.

DustinBel commented 4 years ago

@zhiyua-git I have tested some more and did set up a separate project for it. In my viewcontroller I have added the following code (there is noting in the app delegate).

import UIKit
import AWSCognito
import AWSCore
import AWSKinesisVideo

class ViewController: UIViewController {
    var channelARN: String?

    override func viewDidLoad() {
        super.viewDidLoad()
        let credentialsProvider = AWSCognitoCredentialsProvider(regionType:.USEast1,
           identityPoolId:"us-east-1:beabb648-bf10-4c4c-afa9-6880303de861")
        let configuration = AWSServiceConfiguration(region:.USEast1, credentialsProvider:credentialsProvider)
        AWSServiceManager.default().defaultServiceConfiguration = configuration

        retrieveChannelARN(channelName: "bok")
    }

    func retrieveChannelARN(channelName: String) {
        print(channelName)
        if !channelName.isEmpty {

            let describeInput = AWSKinesisVideoDescribeSignalingChannelInput()
            describeInput?.channelName = channelName
            let kvsClient = AWSKinesisVideo.default()
            kvsClient.describeSignalingChannel(describeInput!).continueWith(block: { (task) -> Void in
                if let error = task.error {
                    print(error)
                    print("Error describing channel: \(error)")
                } else {
                    self.channelARN = task.result?.channelInfo?.channelARN
                    print("Channel ARN : ", task.result!.channelInfo!.channelARN ?? "Channel ARN empty.")
                }
            }).waitUntilFinished()
        } else {
            let alertController = UIAlertController(title: "Channel Name is Empty",
                                                    message: "Valid Channel Name is required.",
                                                    preferredStyle: .alert)
            let okAction = UIAlertAction(title: "Ok", style: .default, handler: nil)
            alertController.addAction(okAction)
            present(alertController, animated: true, completion: nil)
            return
        }
    }
}

With this in the Cognito user pool: Screenshot 2020-05-05 at 11 45 49

The unauth IAM role: Screenshot 2020-05-05 at 11 48 26

And the trusted relation: Screenshot 2020-05-05 at 11 49 10

Even after that I get the permission denied:

Error Domain=com.amazonaws.AWSKinesisVideoErrorDomain Code=1 "null" UserInfo={NSLocalizedDescription=null, NSLocalizedFailureReason=AccessDeniedException:http://internal.amazon.com/coral/com.amazon.coral.service/}
Error describing channel: Error Domain=com.amazonaws.AWSKinesisVideoErrorDomain Code=1 "null" UserInfo={NSLocalizedDescription=null, NSLocalizedFailureReason=AccessDeniedException:http://internal.amazon.com/coral/com.amazon.coral.service/}
zhiyua-git commented 4 years ago

The constructor I tested requires input of identity pool id, unauth role arn, auth role arn and region, can you try setting those and see if it works for you? Thanks.

zhiyua-git commented 4 years ago

Hi @DustinnBel ,

The credentials provider path you were trying is the enhanced path from Cognito which requires extra work on our side to make it through. Before it is ready, you can unblock by using this basic path:

let credentialsProvider = AWSCognitoCredentialsProvider(
            regionType:.USEast1,
            identityPoolId:"us-east-1:xxxxxxxxx",
            unauthRoleArn: "arn:aws:iam::xxxxx:role/Cognito_xxxxxxUnauth_Role",
            authRoleArn: "arn:aws:iam::xxxxx:role/Cognito_xxxxxAuth_Role",
            identityProviderManager: nil)

Please note you will need to call it after 1 hour of calling enhanced path, or call credentialsProvider.clearCredentials(); to clean up the cache before trying out the basic path. Please note we don't recommend using credentialsProvider.clearCredentials(); in production code.

DustinBel commented 4 years ago

@zhiyua-git It works now, thanks for your hard work to make it clear. From what I understand is that the enhanced method is not ready yet in this version? I will go with the basic path for now, thanks a lot.

zhiyua-git commented 4 years ago

Great to know it works. We have some whitelisting to do before enhanced path works, will get you informed once it is ready. Close the issue for now. Thanks.

pankeshpatel commented 3 years ago

Hi

AWSCognitoCredentialsProvider

Hi, Can you please provide the constructor code of AWSCognitoCredentialsProvider function. It seems that the following AWSCognitoCredentialsProvider() function with two arguments exists only??? see here

let credentialsProvider = AWSCognitoCredentialsProvider(regionType:.USEast1,
           identityPoolId:"my-pool-id")

the following function does not exist??? I would like add this function to unblock by using this basic path:

let credentialsProvider = AWSCognitoCredentialsProvider(
            regionType:.USEast1,
            identityPoolId:"us-east-1:xxxxxxxxx",
            unauthRoleArn: "arn:aws:iam::xxxxx:role/Cognito_xxxxxxUnauth_Role",
            authRoleArn: "arn:aws:iam::xxxxx:role/Cognito_xxxxxAuth_Role",
            identityProviderManager: nil)
vivekgadgeon commented 11 months ago

Hi @DustinnBel ,

The credentials provider path you were trying is the enhanced path from Cognito which requires extra work on our side to make it through. Before it is ready, you can unblock by using this basic path:

let credentialsProvider = AWSCognitoCredentialsProvider(
            regionType:.USEast1,
            identityPoolId:"us-east-1:xxxxxxxxx",
            unauthRoleArn: "arn:aws:iam::xxxxx:role/Cognito_xxxxxxUnauth_Role",
            authRoleArn: "arn:aws:iam::xxxxx:role/Cognito_xxxxxAuth_Role",
            identityProviderManager: nil)

Please note you will need to call it after 1 hour of calling enhanced path, or call credentialsProvider.clearCredentials(); to clean up the cache before trying out the basic path. Please note we don't recommend using credentialsProvider.clearCredentials(); in production code.

@zhiyua-git I have updated the project like above, but I am getting an issue:,

Error creating channel Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=6 "(null)" UserInfo={__type=InvalidParameterException, message=Basic (classic) flow is not enabled, please use enhanced flow.}