Signing with temporary credentials for API gateway request problems

0
votes

I'm trying to invoke my API Gateway with authenticated users with the REST API. For this I'm using: Cognito UserPool + Cognito Identity Pool + API Gateway + AWS_IAM Authorization + Cognito Credentials. From what I've gathered I need to sign my request with (temporary credentials). Based on this thread I want to sign my request with the following keys: 

{
 SecretKey: '', 
 AccesKeyId: '',
 SessionKey: ''
}

If I use an associated user from my IAM console and use the corresponding SecretKey + AccesKeyID everything works fine. However, I want to use the Unauthenticated and Authenticated roles from my Identity Pools to apply IAM policies based on authenticated or unauthenticated users. FYI: I can call the authenticated functions from this part of the documentation.

I'm building a React-Native app, and because of that I want to keep the native SDK to a minimum and I'm only using AWSCognitoIdentityProvider part. For the user handling.

I trying to receive the correct keys using this Objective-C code:

 [[self.credentialsProvider credentials] continueWithBlock:^id(AWSTask *task) {
    if (task.error) {
      NSLog(@"Error: %@", task.error);
    }
    else {
      AWSCredentials *response = task.result;

      NSString *accessKey = response.accessKey;
      NSString *secretKey = response.secretKey;
      NSString *sessionKey = response.sessionKey;
      NSDictionary *responseData = @{
                                     @"AccessKey" : accessKey,
                                     @"SecretKey" : secretKey,
                                     @"SessionKey": sessionKey
                                     };
        }

    return nil;
  }];

The rest I've setup using the relevant docs.

I (wrongly?) tried to sign my requests with the
AccessKey, SecretKey, SessionKey retrieved from the CredentialsProvider above. 

  {
     SecretKey: credentials.SecretKey, 
     AccesKeyId: credentials.AccessKey,
     SessionKey: credentials.SessionKey
   }

The signing fails with the following error: 

{ message: 'The security token included in the request is invalid.' }

So the question I have is: which keys should I use to sign my requests for authenticated users so that I can apply the attached IAM policies from my Cognito Setup?

Thanks for any help :)

1
amazon-web-servicesamazon-cognitoaws-api-gateway
SessionKey? Not SessionToken? - Michael - sqlbot

1 Answers

0
votes

Like Michael - sqlbot, point out, it should be SessionToken instead of SessionKey. I found a better instruction on how to get credentials from Cognito.