c# - Unable to access AWS using a Facebook AssumeRoleWithWebIdentity credentials -
short version
logged in facebook user, use oauth token assume iam role on aws. returns looks valid credentials, e.g. there accesskeyid, secretaccesskey similar length our master keys.
when try use these credentials access dynamodb table, 1 of 2 exceptions:
"the remote server returned error: (400) bad request."
; or"the security token included in request invalid."
.
i'm using aws c# sdk version 1.5.25.0
long version
as said above, i'm trying access dynamodb table on aws using credentials supplied amazonsecuritytokenserviceclient
authorized facebook identity described in this aws guide.
the policy iam role i've created is:
{ "version": "2012-10-17", "statement": [ { "action": [ "dynamodb:batchgetitem", "dynamodb:putitem", "dynamodb:query", "dynamodb:scan", "dynamodb:updateitem" ], "sid": "stmt1372350145000", "resource": [ "*" ], "effect": "allow" } ] }
how credentials:
- the user logs in facebook using oauth.
- using access token, assume iam role using
amazonsecuritytokenserviceclient.assumerolewithwebidentity
request. this returns looks valid credentials, e.g. accesskeyid, secretaccesskey similar length our master keys.
using (var tokenserviceclient = new amazonsecuritytokenserviceclient(regionendpoint.useast1)) { var request = new assumerolewithwebidentityrequest { durationseconds = (int)timespan.fromhours(1).totalseconds, providerid = "graph.facebook.com", rolearn = "arn:aws:iam::193557284355:role/facebook-oauth", rolesessionname = result.id, webidentitytoken = fbclient.accesstoken }; var response = tokenserviceclient.assumerolewithwebidentity(request); awsassumedroleuser = response.assumerolewithwebidentityresult.assumedroleuser; awscredentials = response.assumerolewithwebidentityresult.credentials; }
how use these credentials:
using returned credentials, try access aws dynamodb resource.
using (var client = new amazondynamodbclient(awscredentials.accesskeyid, awscredentials.secretaccesskey, awscredentials.sessiontoken, regionendpoint.useast1)) { var context = new dynamodbcontext(client); var data = context.scan<somedata>(); }
this returns "the remote server returned error: (400) bad request."
when trying scan
table.
this variation in exception message is; if omit awscredentials.sessiontoken
above amazondynamodbclient
using (var client = new amazondynamodbclient(awscredentials.accesskeyid, awscredentials.secretaccesskey, regionendpoint.useast1)) { var context = new dynamodbcontext(client); var data = context.scan<somedata>(); }
this returns "the security token included in request invalid."
when trying scan
table.
question
at point cannot tell wrong, credentials invalid or i'm not passing through needed aws.
can offer insight wrong or how debug further?
i cross-posted question aws forums , received answer amazon engineer.
https://forums.aws.amazon.com/message.jspa?messageid=465057
dynamodbcontext
object invokes describetable
on target table (and caches data, optimal performance want keep context object around long possible, call done once per target table). modify policy follows:
{ "version": "2012-10-17", "statement": [ { "action": [ "dynamodb:batchgetitem", "dynamodb:putitem", "dynamodb:query", "dynamodb:scan", "dynamodb:updateitem", "dynamodb:describetable" ], "sid": "stmt1372350145000", "resource": [ "*" ], "effect": "allow" } ] }
Comments
Post a Comment