Struggling with boto3, Cognito and Warrant about warrant HOT 9 OPEN

@antonostrovsky
I've got it working. Once you got the id tokens you need to get to the identity pool to get the credentials

Here is what you may need to do next.
you need to extract AccessKeyId, SecretKey, SessionToken from the creds variable. Hope this helps

cognito = boto3.client("cognito-identity", region)

id = cognito.get_id(
AccountId=account_id,
IdentityPoolId=identity_pool_id,
Logins={identity_provider_name: id_token},
)
creds = cognito.get_credentials_for_identity(
IdentityId=id["IdentityId"], Logins={identity_provider_name: id_token}
)

from warrant.

Hi @flycast @petergerten @abal09 and others

I've managed to setup Cognito user pool and identity pools. I'm also able to authenticate and I get back id_token, access_token, refresh_token, Pool_JWK (This contains a couple of RSA keys with Key_id and Key_secret) but I am not able to use any of these to connect to S3 bucket.

Could you please help or share links on how I could use these tokens to access AWS services?

Thank you all for taking the time to help

from warrant.

Follow up on this.
It does not seem to matter what policies I give the role that is assigned to the group in the Cognito User Pool. I detached all policies from the role assigned to the group - that group now has no policies, any user in the group cannot do anything.

What matters is the role the IAM user has that is the credentials of boto3. IF I give that user IoT access then the script can publish to IoT. If I remove IoT access from the role attached to the IAM user that provides boto3 credentials then the script cannot do anything.

What is wrong here?
I don't understand what the value of Cognito is if the role attached to the User group is ignored?

Please let me know, I am trying really hard to make Cognito work. I am positive that I am doing something wrong - that it is not Cognito.

from warrant.

@flycast did you solve this. I also don't understand. I can login with cognito - but how to make use of the tokens for other services like S3, IoT ?

from warrant.

Nope. I gave up.

from warrant.

@petergerten @flycast you guys have a missing piece in Cognito Identity Pool and this has nothing to do with warrant. Identity Pool needs to be attached to the User Pool and this Identity Pool will generate temporary AWS credentials to be used to access various AWS resources.
https://codeburst.io/the-difference-between-aws-cognito-userpools-and-federated-identities-9b47571795d4
This gives a decent general overview.

from warrant.

Same issue here. I am getting 'IdToken', 'RefreshToken, 'AccessToken', 'TokenType' and it is not obvious at all how to use them for Boto3 authentication

from warrant.

@vimalpatnaik Thank you for getting back to me!
Where does the account_id come from?

In my case I am receiving a token from warrant.AWSRP:
AWSSRP(username, password, user_pool_id, application_client_id)

This mimics AWS Amplify's SigV4 authentication through a login page.
All the application needs to supply is username, password user_pool_id and application_client_id

from warrant.

Sorry, just read in the docs that AccountId is an optional parameter, so it wasn't necessary!

from warrant.