I'm trying to use some of the new Amazon Location Service endpoints from the SDK itself (Location) and I have run into some inconsistent errors.
Even with everything allowed in the IAM Role geo:* (same for every resource), I always find errors of not authorization for functions like locationClient.listGeofences.
Arbitrarily, some other functions like getMapStyleDescriptor, searchPlaceIndexForText or calculateRoute do not give problems. Those functions are using their respective policies within geo:..., so it's pretty confusing to me to see how it detects some policies and others not.
The error is pretty common, it shows the following and the policy it's already allowed:
Uncaught (in promise) AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/AmazonLocationTestRole/CognitoIdentityCredentials is not authorized to perform: geo:ListGeofences on resource: arn:aws:geo:eu-west-1:xxxx:*
Note that the acess is for unauthenticated users withing an indentity pool in Cognito, but that shouldn't be the problem.
const client = new AWS.Location({
credentials: credentials,
region: AWS.config.region
});
console.log(await client.listGeofences({
CollectionName: "explore.geofence-collection"
}).promise())
console.log(await client.getMapStyleDescriptor({
MapName: mapName
}).promise());
Just in case, the trust relationships in the IAM role look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-west-1:xxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
And every policy for every resource in Amazon Location Service it's already allowed.
Do you have any idea what could be happening?
Many thanks!
