Struggling with boto3, Cognito and Warrant

[flycast]

Not really an issue but not sure where to post this question. I am trying to put all the pieces together.

Warrant requires boto3. Boto3 needs to have an IAM user credentials. From the boto3 docs:

Next, set up credentials (in e.g. ~/.aws/credentials):

[default] aws_access_key_id = YOUR_KEY aws_secret_access_key = YOUR_SECRET

In the case of linux (raspbian) one installs boto3 and then places the above keys in a file on the raspbian system.

From testing it looks like the IAM user needs access to the services that my user from the user pool needs. Is this correct?

Then a user pool is set up with their own user and temp password. The user then changes their password.

It seems like the user now actually uses two separate credentials: 1) The IAM user credentials (transparent to the user) 2) The Cognito user pool credentials.

Is my understanding correct?

[flycast]

Follow up on this. It does not seem to matter what policies I give the role that is assigned to the group in the Cognito User Pool. I detached all policies from the role assigned to the group - that group now has no policies, any user in the group cannot do anything.

What matters is the role the IAM user has that is the credentials of boto3. IF I give that user IoT access then the script can publish to IoT. If I remove IoT access from the role attached to the IAM user that provides boto3 credentials then the script cannot do anything.

What is wrong here? I don't understand what the value of Cognito is if the role attached to the User group is ignored?

Please let me know, I am trying really hard to make Cognito work. I am positive that I am doing something wrong - that it is not Cognito.

[petergerten]

@flycast did you solve this. I also don't understand. I can login with cognito - but how to make use of the tokens for other services like S3, IoT ?

[flycast]

Nope. I gave up.

[abal09]

@petergerten @flycast you guys have a missing piece in Cognito Identity Pool and this has nothing to do with warrant. Identity Pool needs to be attached to the User Pool and this Identity Pool will generate temporary AWS credentials to be used to access various AWS resources. https://codeburst.io/the-difference-between-aws-cognito-userpools-and-federated-identities-9b47571795d4 This gives a decent general overview.

[TheHarold]

Hi @flycast @petergerten @abal09 and others

I've managed to setup Cognito user pool and identity pools. I'm also able to authenticate and I get back id_token, access_token, refresh_token, Pool_JWK (This contains a couple of RSA keys with Key_id and Key_secret) but I am not able to use any of these to connect to S3 bucket.

Could you please help or share links on how I could use these tokens to access AWS services?

Thank you all for taking the time to help

[antonostrovsky]

Same issue here. I am getting 'IdToken', 'RefreshToken, 'AccessToken', 'TokenType' and it is not obvious at all how to use them for Boto3 authentication

[TheHarold]

@antonostrovsky I've got it working. Once you got the id tokens you need to get to the identity pool to get the credentials

Here is what you may need to do next. you need to extract AccessKeyId, SecretKey, SessionToken from the creds variable. Hope this helps

cognito = boto3.client("cognito-identity", region)

id = cognito.get_id( AccountId=account_id, IdentityPoolId=identity_pool_id, Logins={identity_provider_name: id_token}, ) creds = cognito.get_credentials_for_identity( IdentityId=id["IdentityId"], Logins={identity_provider_name: id_token} )

[antonostrovsky]

@vimalpatnaik Thank you for getting back to me! Where does the account_id come from?

In my case I am receiving a token from warrant.AWSRP: AWSSRP(username, password, user_pool_id, application_client_id)

This mimics AWS Amplify's SigV4 authentication through a login page. All the application needs to supply is username, password user_pool_id and application_client_id

[antonostrovsky]

Sorry, just read in the docs that AccountId is an optional parameter, so it wasn't necessary!