Aws-sdk-net: S3 access using Cognito User giving exception "Object reference not set to an instance of an object"

Created on 27 Jul 2018 · 18Comments · Source: aws/aws-sdk-net

Hi,
I created a CognitoUser based on the username and password provided by the user and it was authenticated successfully with all the session tokens retrieved with user object. However, when I tried to access the S3 bucket for this user(this user is assigned to a Group which has a IAM role providing access to the S3 bucket), I got the error "Object reference not set to an instance of an object". I am using the AWSSDK for .NET to develop the application.
First, I want to report this issue as a bug as the library shall not give this generic error and shall provide more information for us developers to Debug. Second, when I checked the StackTrace then I found that it is trying to get the client from US East region though my Identity, User pools and the S3 bucket all are in ap-southeast-2 region. Need help to know why it is doing so and what can be done to resolve this issue.

I have provided the necessary information in the attached file.
Cognito-S3-Error.txt

B bug confusing-error modulcredentials moduls3

Source

sachinpachori

All 18 comments

Hi @sachinpachori, if you have not resolved this issue yet, please check your _cognitoHelper.GetCognitoAWSCredentials(User) code. It likely has a bug in it. The only way you should be seeing the exception that you are getting is if either the AccessKey or SecretKey properties of the credentials you return from this method is null. If you need more help with this issue, please post your code for this method. Either way, we would appreciate an update so we can close this issue out of our backlog.

The USEast1 region is used as a convenience for the ListBuckets method, which lists all buckets the user owns regardless of region.

We will consider adding some defensive checks against nulls to return more helpful error messages.

klaytaybai on 3 Oct 2018

I second this question, I have the same problem just trying to follow the AWS .NET SDK tutorial. I'm using the code show in the Cognito Authentication Extension tutorial here:
https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/cognito-authentication-extension.html

@klaytaybai I'm confused by your response because the CognitoAWSCredentials object returned by user.GetCognitoAWSCredentials(identityPoolID) does not have AccessKey or SecretKey properties and should not per its documentation here:
https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/CognitoIdentity/TCognitoAWSCredentials.html

The credentials object is returned just fine, and I can log the properties from it, and creating an S3 client using those credentials does not throw, but trying to use client.ListBucketsAsync() does throw the above mentioned error.

McCulloughRT on 13 Nov 2018

👍1

Facing the same issue. Can be reproduced by the Xamarin S3 Android Sample (https://github.com/awslabs/aws-sdk-net-samples/tree/master/XamarinSamples/S3)

ghost on 21 Nov 2018

Solved it by correcting the Trust relationships of the roles. But, yes, better debug message would've been helpful

ghost on 22 Nov 2018

@shanCESIT how did you solve it by correcting the Trust relationship and how is it related to this issue? are you commenting about my scenario or about your comment 2 days ago.

sachinpachori on 23 Nov 2018

@shanCESIT could you please explain your solution in more details?

MrClockOff on 13 Dec 2018

I also ran into this error but following these steps closely resolved - https://medium.com/@haydnjmorris/uploading-photos-to-aws-s3-getting-started-with-cognito-and-iam-c96ba5b5496d

ansario on 2 Jan 2019

I have opened this issue last year and still got this when I set up the bucket in the UAT environment with same trust relationships. Don't know hot to resolve it and even after 1 year the SDK threw the same error message, no much information.

sachinpachori on 23 Mar 2019

Also getting the same error with latest AWS SDK on Xamarin Android and Xamarin iOS.

comfr3ak on 1 May 2019

Hello!!! anyone has solution for this? What is happening with this issue?

sachinpachori on 18 May 2019

I remember now what was the issue and was the solution:
I created a new User pool however I didn't update the identity pool with the new user pool id and App Clientid (one of them was missing to be updated and pointing to the old value). Fixing these two values solved the issue. However, the error message is misleading and shall have more meaning except saying "Object reference not set to an instance to an object". Hopefully, what worked for me can help others. Happy coding mates.

sachinpachori on 18 May 2019

I was able to solve it by making sure I completed authentication in the
Cognito user pool before trying to get the user object from the Cognito
identity provider. I can post a pseudo code sample on Monday. Basically if
you don't get the initial Cognito authentication correct, you’ll end up
with these ambiguous errors because the user doesn’t get proper credentials
and can’t obtain an authenticated identity. If your resources are only set
to allow authenticated users you’ll get errors if the authentication didn’t
happen or the order or things was done incorrectly.

On Sat, May 18, 2019 at 4:35 AM SP notifications@github.com wrote:

I remember now what was the issue and was the solution:
I created a new User pool however I didn't update the identity pool with
the new user pool id and appclientid(one of them was missing to be updated
and pointing to the old value). Fixing these two values solved the issue.
However, the error messages is misleading and shall have more meaning
except saying "Object reference not set to an instance to an object".
Hopefully, what worked for me can help others. Happy coding mates.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-sdk-net/issues/1016?email_source=notifications&email_token=AJUPDI6PB2GJCMUNWXVCLB3PV65AFA5CNFSM4FMLVKYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVWKIYQ#issuecomment-493659234,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AJUPDI6KZZLAMKQXTGJZAIDPV65AFANCNFSM4FMLVKYA
.

comfr3ak on 18 May 2019

The exception itself is due to a bug (obviously a variable becomes null and that case is not handled). Hopefully someone will improve the AWSSDK but until then it is more important why it happens: because the authentication fails (due to probably misconfigured role). My suggestion is temporary replacing the async call with the one without async to see the real exception describing the authentication failure. Then adjust the role permission (this is a good article about it: https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/) including the role trust and try again until it works. Then you can use the original async call again.

gnaray on 24 May 2019

I have managed to resolve this error by updating trust relationship in AWS console.

Login to your AWS console
Go To IAM
On left tab, click 'Roles'
Now click on 'Trust Relationships' tab
Click on 'Edit Trust Relationship'

Basically your identity pool which is assigned to your cognito user pool should have access to S3.

eg. policy json:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}

ghost on 17 Oct 2019

I've found the following reason you can get this error:

Incorrect Identity Pool ID
Incorrect Bucket name
Incorrect Role assigned to the Identity Pool

This needs better error handling - right now we have to catch NullReferenceException for the above

philipogorman on 9 Jan 2020

Hi @sachinpachori,

Good morning.

I was going through the issue backlog and came across this one. As @ghost gave guidance on setting up the trust relationship and it appears to work. Please let me know if this is still an issue or if this could be closed.

Thanks,
Ashish