c# - Unable to access AWS using a Facebook AssumeRoleWithWebIdentity credentials -


short version

logged in facebook user, use oauth token assume iam role on aws. returns looks valid credentials, e.g. there accesskeyid, secretaccesskey similar length our master keys.

when try use these credentials access dynamodb table, 1 of 2 exceptions:

  1. "the remote server returned error: (400) bad request."; or
  2. "the security token included in request invalid.".

i'm using aws c# sdk version 1.5.25.0

long version

as said above, i'm trying access dynamodb table on aws using credentials supplied amazonsecuritytokenserviceclient authorized facebook identity described in this aws guide.

the policy iam role i've created is:

{   "version": "2012-10-17",   "statement": [     {       "action": [         "dynamodb:batchgetitem",         "dynamodb:putitem",         "dynamodb:query",         "dynamodb:scan",         "dynamodb:updateitem"       ],       "sid": "stmt1372350145000",       "resource": [         "*"       ],       "effect": "allow"     }   ] } 

how credentials:

  1. the user logs in facebook using oauth.
  2. using access token, assume iam role using amazonsecuritytokenserviceclient.assumerolewithwebidentity request.
  3. this returns looks valid credentials, e.g. accesskeyid, secretaccesskey similar length our master keys.

    using (var tokenserviceclient = new amazonsecuritytokenserviceclient(regionendpoint.useast1)) {     var request = new assumerolewithwebidentityrequest     {         durationseconds = (int)timespan.fromhours(1).totalseconds,         providerid = "graph.facebook.com",         rolearn = "arn:aws:iam::193557284355:role/facebook-oauth",         rolesessionname = result.id,         webidentitytoken = fbclient.accesstoken     };      var response = tokenserviceclient.assumerolewithwebidentity(request);      awsassumedroleuser = response.assumerolewithwebidentityresult.assumedroleuser;     awscredentials = response.assumerolewithwebidentityresult.credentials; } 

how use these credentials:

using returned credentials, try access aws dynamodb resource.

using (var client = new amazondynamodbclient(awscredentials.accesskeyid, awscredentials.secretaccesskey, awscredentials.sessiontoken, regionendpoint.useast1)) {     var context = new dynamodbcontext(client);     var data = context.scan<somedata>();     } 

this returns "the remote server returned error: (400) bad request." when trying scan table.

this variation in exception message is; if omit awscredentials.sessiontoken above amazondynamodbclient

using (var client = new amazondynamodbclient(awscredentials.accesskeyid, awscredentials.secretaccesskey, regionendpoint.useast1)) {     var context = new dynamodbcontext(client);     var data = context.scan<somedata>(); } 

this returns "the security token included in request invalid." when trying scan table.

question

at point cannot tell wrong, credentials invalid or i'm not passing through needed aws.

can offer insight wrong or how debug further?

i cross-posted question aws forums , received answer amazon engineer.

https://forums.aws.amazon.com/message.jspa?messageid=465057


dynamodbcontext object invokes describetable on target table (and caches data, optimal performance want keep context object around long possible, call done once per target table). modify policy follows:

{   "version": "2012-10-17",   "statement": [     {       "action": [         "dynamodb:batchgetitem",         "dynamodb:putitem",         "dynamodb:query",         "dynamodb:scan",         "dynamodb:updateitem",         "dynamodb:describetable"               ],       "sid": "stmt1372350145000",       "resource": [         "*"       ],       "effect": "allow"     }   ] } 

Comments

Popular posts from this blog

java - nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet Hibernate+SpringMVC -

sql - Postgresql tables exists, but getting "relation does not exist" when querying -

asp.net mvc - breakpoint on javascript in CSHTML? -