How to use AssumeRoleWithWebIdentity after calling GetOpenIdTokenForDeveloperIdentity #4750
-
Hello everyone, I'm trying the golang sdk and i would like to get a thing shadow. I am following the basic authentication flow. I created an identity pool associated to a role with
However i'm facing the following error when i am calling Here is my script that i use to call package cognito
import (
"context"
"fmt"
"os"
"testing"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentity"
"github.com/aws/aws-sdk-go-v2/service/iotdataplane"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/aws/aws-sdk-go-v2/service/sts/types"
"github.com/stretchr/testify/assert"
)
type CredentialsProvider struct {
Creds aws.Credentials
}
// Retrieve returns nil if it successfully retrieved the value.
// Error is returned if the value were not obtainable, or empty.
func (c CredentialsProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
return c.Creds, nil
}
type CredentialsProviderV2 struct {
dev *cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput
}
// Retrieve returns nil if it successfully retrieved the value.
// Error is returned if the value were not obtainable, or empty.
func (c CredentialsProviderV2) Retrieve(ctx context.Context) (aws.Credentials, error) {
region, _ := os.LookupEnv("Region")
options := sts.Options{Region: region}
stsClient := sts.New(options)
role, _ := os.LookupEnv("Role")
roleSessionName := "gorest"
var duration int32 = 3900
stsInput := sts.AssumeRoleWithWebIdentityInput{RoleArn: &role, DurationSeconds: &duration, RoleSessionName: &roleSessionName, WebIdentityToken: c.dev.Token,
PolicyArns: []types.PolicyDescriptorType{
{Arn: aws.String("arn:aws:iam::aws:policy/AWSIoTFullAccess")},
}}
stsOutput, err := stsClient.AssumeRoleWithWebIdentity(ctx, &stsInput)
return aws.Credentials{AccessKeyID: *stsOutput.Credentials.AccessKeyId, SecretAccessKey: *stsOutput.Credentials.SecretAccessKey, SessionToken: *stsOutput.Credentials.SessionToken, CanExpire: true, Expires: *stsOutput.Credentials.Expiration}, err
}
func TestAwsGetThingShadow(t *testing.T) {
ctx := context.Background()
region, _ := os.LookupEnv("Region")
accessKeyID, _ := os.LookupEnv("AccessKeyID")
secretAccessKey, _ := os.LookupEnv("SecretAccessKey")
developerProvider, _ := os.LookupEnv("DeveloperProvider")
identityPoolId, _ := os.LookupEnv("IdentityPoolId")
thingName, _ := os.LookupEnv("ThingName")
conf := aws.Config{Region: region, Credentials: CredentialsProvider{Creds: aws.Credentials{AccessKeyID: accessKeyID, SecretAccessKey: secretAccessKey}}}
cognitoIdentityClient := cognitoidentity.NewFromConfig(conf)
logins := map[string]string{developerProvider: "user"}
input := cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{IdentityPoolId: &identityPoolId, Logins: logins}
developerIdentityOutput, err := cognitoIdentityClient.GetOpenIdTokenForDeveloperIdentity(ctx, &input)
conf2 := aws.Config{Region: region, Credentials: CredentialsProviderV2{dev: developerIdentityOutput}}
// Use the credentials to make API requests
// For example, you can create an IoT Data Plane client:
iotClient := iotdataplane.NewFromConfig(conf2)
_, err = iotClient.GetThingShadow(ctx, &iotdataplane.GetThingShadowInput{
ThingName: &thingName,
})
fmt.Print(err)
assert.Nil(t, err)
} If someone can help me that would be great! Thank! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Ok, i found you need to use AttachPolicy from iot to attach your iot policy to your new user. |
Beta Was this translation helpful? Give feedback.
-
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
Ok, i found you need to use AttachPolicy from iot to attach your iot policy to your new user.