Question:
I am trying to send an authenticated request to AWS API Gateway. The clients will authenticate against Cognito Your User Pools, and then obtain a token from an associated Cognito Identity Pool corresponding to the logged-in user in the user pool. I am trying to simulate such a request using Postman.
This post suggests that the command aws cognito-identity get-credentials-for-identity can be used to get the AccessKeyId and SecretKey needed for Postman to sign the request. However, when I try to run it with the sub attribute for a user from the Cognito User Pool console:
|
1 2 3 4 5 6 7 8 |
$ aws cognito-identity get-credentials-for-identity --identity-id aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee An error occurred (ValidationException) when calling the GetCredentialsForIdentity operation: 1 validation error detected: Value 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' at 'identityId' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w-]+:[0-9a-f-]+ $ aws cognito-identity get-credentials-for-identity --identity-id us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee An error occurred (ResourceNotFoundException) when calling the GetCredentialsForIdentity operation: Identity 'us-east-1:aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' not found. |
The same thing happens if I try to use an identity ID from the associated identity pool shown in the AWS Console (I selected one that has 2 “linked logins”).
Answer:
You need to pass along the login map :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
--logins (map) A set of optional name-value pairs that map provider names to provider tokens. Shorthand Syntax: KeyName1=string,KeyName2=string JSON Syntax: {"string": "string" ...} |
This syntax worked for me:
|
1 2 3 4 |
aws cognito-identity get-credentials-for-identity \ --identity-id us-east-1:aaaa-bbb-ccc-bc54-rrrrrrr \ --logins graph.facebook.com=kdajbdjkabkjbkjbkdbsckslcjxb |
Note: --identity-id is not the identity pool id, its the identity from the identity browser.