cognito: el acceso a la identidad está prohibido

Estoy tratando de comprender el cognito amazon y probar los contenidos de la list de la carpeta S3 después de iniciar session a través de Facebook. El inicio de session en el libro de caras funciona bien. Cuando toco el button de testing (cmdTestS3Tapped) arroja el siguiente error.

Incluí AmazonClientManager.h, AmazonClientManager.m y Constants.h en el proyecto a partir de ejemplos proporcionados por amazon. Las constantes se dan como belllow. ¿Alguien puede ayudarme a resolver el problema?

#define AWSAccountID @"MyAccountID" #define CognitoPoolID @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" #define CognitoRoleAuth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole" #define CognitoRoleUnauth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole" 

Esta es la function: Cognito_iOSTestPoolAuth_DefaultRole

 { "Version": "2012-10-17", "Statement": [{ "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ], "Effect": "Allow", "Action": "s3:*", "Resource": "*" }] } 

Aquí está la relación de confianza

 { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] } 

Aquí está el código que estoy usando

 - (IBAction)cmdLoginWithFB:(id)sender { [[UIApplication shanetworkingApplication] setNetworkActivityIndicatorVisible:YES]; [self disableUI]; [[AmazonClientManager shanetworkingInstance] loginFromView:self.view withCompletionHandler:^(NSError *error) { dispatch_async(dispatch_get_main_queue(), ^{ [self refreshUI]; }); }]; } -(void)refreshUI { [[UIApplication shanetworkingApplication] setNetworkActivityIndicatorVisible:NO]; //self.browseDataButton.enabled = YES; self.cmdLoginWithFB.enabled = YES; if ([[AmazonClientManager shanetworkingInstance] isLoggedIn]) { self.cmdLoginWithFB.titleLabel.text = @"Link"; NSLog(@"-----------LOGED IN -------------->"); } else { self.cmdLoginWithFB.titleLabel.text = @"Login"; NSLog(@"-----------NOT LOGED IN -------------->"); } self.cmdLogoutWipe.enabled = [[AmazonClientManager shanetworkingInstance] isLoggedIn]; } - (IBAction)cmdTestS3Tapped:(id)sender { if ([[AmazonClientManager shanetworkingInstance] isLoggedIn]) { NSLog(@"-----------LOGED IN -------------->"); [self testListBucket]; } else { NSLog(@"-----------NOT LOGED IN -------------->"); } } - (void)testListBucket { AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init]; getObjectRequest.key = @"image1.jpg"; getObjectRequest.bucket = @"multix-test"; NSLog(@"============================================>"); //default service has been configunetworking previously //AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration]; AWSS3 *s3 = [AWSS3 defaultS3]; [[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) { if(task.error) { NSLog(@"Error: %@",task.error); } else { NSLog(@"Got File"); NSData *data = [task.result body]; NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; NSURL *url = [[NSURL alloc] initWithString:urlString]; if ([[UIApplication shanetworkingApplication] canOpenURL:url]) { [[UIApplication shanetworkingApplication] openURL:url]; } } return nil; }]; NSLog(@"============================================>"); } 

Error

 2014-11-26 20:58:24.048 FBLoginTest[2647:83767] initializing clients... 2014-11-26 20:58:24.055 FBLoginTest[2647:83767] -----------LOGED IN --------------> 2014-11-26 20:58:33.542 FBLoginTest[2647:83767] -----------LOGED IN --------------> 2014-11-26 20:58:33.542 FBLoginTest[2647:83767] ============================================> 2014-11-26 20:58:33.551 FBLoginTest[2647:83767] ============================================> 2014-11-26 20:58:33.554 FBLoginTest[2647:88515] AWSiOSSDKv2 [Verbose] AWSURLRequestSerialization.m line:110 | -[AWSJSONRequestSerializer serializeRequest:headers:parameters:] | Request body: [{"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}] 2014-11-26 20:58:34.870 FBLoginTest[2647:88605] AWSiOSSDKv2 [Debug] AWSURLResponseSerialization.m line:85 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{ "Content-Length" = 129; "Content-Type" = "application/x-amz-json-1.1"; Date = "Wed, 26 Nov 2014 16:58:34 GMT"; nnCoection = close; "x-amzn-RequestId" = "7558584c-758d-11e4-a92d-11020f90ea0e"; }] 2014-11-26 20:58:34.871 FBLoginTest[2647:88605] AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:90 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [{"__type":"NotAuthorizedException","message":"Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."}] 2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSIdentityProvider.m line:212 | __42-[AWSBasicCognitoIdentityProvider refresh]_block_invoke_2 | GetOpenIdToken failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn't be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}] 2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSCnetworkingentialsProvider.m line:433 | __40-[AWSCognitoCnetworkingentialsProvider refresh]_block_invoke293 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn't be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}] 2014-11-26 20:58:34.873 FBLoginTest[2647:88605] Error: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn't be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.} 

Creo que la relación de confianza es incorrecta. Debería ser

  "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } 

Porque tus usuarios están autenticados con Facebook. La relación de confianza que brindó es para usuarios no autenticados.

Consulte el blog de tres partes de Bob para get más detalles sobre la relación de Cognito, Roles y Trust

Parte 1: http://mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication

Parte 2: http://mobile.awsblog.com/post/Tx2FL1QAPDE0UAH/Understanding-Amazon-Cognito-Authentication-Part-2-Developer-Authenticated-Ident

Parte 3: http://mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies

El error "Acceso a la identidad está prohibido" generalmente se debe a que no se ha incluido el token del proveedor de inicio de session (FB) en su proveedor de cnetworkingenciales.

No incluyó el código que gestiona el inicio de session de FB, pero me aseguraría de que está configurando correctamente el token en su proveedor AWSCognitoCnetworkingentials y configurando ese proveedor como pnetworkingeterminado.

La respuesta de Sebastien sigue siendo importante para tener en count, ya que puede enfrentar un error STS más adelante si usa el rol incorrecto.

Gracias Bob y Sebastien,

El problema era. Me olvido de poner el siguiente código en viewdidload

 [[AmazonClientManager shanetworkingInstance] resumeSessionWithCompletionHandler:^(NSError *error) { dispatch_async(dispatch_get_main_queue(), ^{ [self refreshUI]; }); }];