Boto3: NotAuthorizedException trying to call cognito.set_identity_pool_roles()
Not sure this is the right place to ask, but I'm also not sure WHERE to ask this. I'm now getting:
botocore.exceptions.ClientError: An error occurred (NotAuthorizedException) when calling the SetIdentityPoolRoles operation: Access to Role 'SomeRoleName' is forbidden.
I created the role just a few lines previous in the python script using
iam = session.client('iam');
iam.create_role(..)
and now trying to call
cognito = session.client('cognito-identity', region_name='us-east-1')
cognito.set_identity_pool_roles(..)
Am I doing something wrong? Seems the same credentials that created the role should be able to reference it.
Any ideas?
jvilhuber
All 9 comments
@jvilhuber your calling code looks good from the perspective of Boto. Have you read through the Cognito Sync developer guide? Maybe take a look here and make sure your role has the correct policy set up:
http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#iam-roles
danielgtaylor
on 21 Mar 2015
@jvilhuber any update on this? Have you gotten it working?
danielgtaylor
on 24 Mar 2015
Sorry, haven't had a chance yet. I believe the user I'm using has full
access (during development), but I will double check.
Jan
On Mar 24, 2015 4:25 PM, "Daniel G. Taylor" [email protected]
wrote:
@jvilhuber https://github.com/jvilhuber any update on this? Have you
gotten it working?—
Reply to this email directly or view it on GitHub
https://github.com/boto/boto3/issues/73#issuecomment-85718563.
jvilhuber
on 25 Mar 2015
Sorry for the delay. Just got back to this code today, and it's still not working. The user in questions has AdministratorAccess {"Version": "2012-10-17", "Statement": [{"Effect": "Allow","Action": "*","Resource": "*"}]}.
I tried this both with boto3 and the aws cli (which uses the same botocore under the covers, I think). Both fail with the same error. I can send you output from the aws cli --debug, if you like. Or I can paste it here if appropriate.
jvilhuber
on 28 Apr 2015
One thought: I'm passing in the roles via RoleName, instead of an ARN. Perhaps the API wants an ARN?
jvilhuber
on 28 Apr 2015
Yes, that was it. The documentation could be better ;)
jvilhuber
on 28 Apr 2015
Sigh. That being said, when I go to the AWS console and inspect the new identity pool I just created and set roles in, it still shows as having no roles for auth and unauth set. I can select them from the drop down and save, but for some reason the api doesn't REALLY set them.
jvilhuber
on 28 Apr 2015
Not sure what's going on there. Could you try the following to see if it works?
import boto3
import json
from botocore.exceptions import ClientError
from pprint import pprint
iam = boto3.resource('iam')
cognito = boto3.client('cognito-identity', 'us-east-1')
policy_document = json.dumps({
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": ["sts:AssumeRole"]
}]
})
role = iam.create_role(RoleName='SomeRoleName',
AssumeRolePolicyDocument=policy_document)
pool = cognito.create_identity_pool(IdentityPoolName='SomeIdentityPool',
AllowUnauthenticatedIdentities=True)
try:
cognito.set_identity_pool_roles(IdentityPoolId=pool['IdentityPoolId'],
Roles={'authenticated': role.arn})
except ClientError as e:
print(e)
finally:
roles = cognito.get_identity_pool_roles(IdentityPoolId=pool['IdentityPoolId'])
pprint(roles)
cognito.delete_identity_pool(IdentityPoolId=pool['IdentityPoolId'])
role.delete()
If not, please set the debug stream by putting the following line after the imports:
boto3.set_stream_logger('botocore')
JordonPhillips
on 6 Oct 2015
This issue is being closed due to inactivity
JordonPhillips
on 12 Oct 2015
Related issues
teran-mckinney
·
3Comments
nueverest
·
3Comments
amattie
·
4Comments
hwine
·
3Comments
danielmorozoff
·
3Comments
Most helpful comment
Yes, that was it. The documentation could be better ;)