Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create cognito credentials provider #324

Closed
wooj2 opened this issue Aug 18, 2021 · 2 comments
Closed

Create cognito credentials provider #324

wooj2 opened this issue Aug 18, 2021 · 2 comments
Labels
feature-request A feature should be added or improved.

Comments

@wooj2
Copy link
Contributor

wooj2 commented Aug 18, 2021

No description provided.

@ganeshnj ganeshnj added the needs-triage This issue or PR still needs to be triaged. label Oct 4, 2022
@sebsto
Copy link

sebsto commented Dec 23, 2022
edited
Loading

When developing iOS or macOS apps without using Amplify, there are use cases where the app needs anonymous AWS credentials to call AWS API. Examples might be to send events to PinPoint, to send logs to cloudwatch, to fetch configuration from AppConfig, to interact with DynamoDB or Lambda.

In scenario where the app user is not authenticated, the simplest secure way to obtain AWS credentials is to use GetCredentialsForIdentity to obtain temporary credentials. Temporary credentials are limited in time (15 minutes by default) and limited in scope (limited to the permissions attached to the role assumed with Cognito)

Getting this right involves ~30-40 lines of undifferentiated heavy lifting code. It would be great to have these factored out as an AnonymousCredentialsProvider in the SDK.

Why do we need SDK Support ?

Because of the sandbox, macOS and iOS ap do not have access to ~/.aws directory where the SDK tries to fetch default credentials.

What Other SDK are proposing ?

I did not check all SDK, but the ones I am using regularly have manually crafted, higher-level credentials providers :

Prof of Concept

Here is a DynamoDB Example:

One time setup on the AWS side

  1. create an cognito identity pool
  2. enable unauthenticated access
  3. give permission to unauth role to access dynamodb
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:eu-central-1:486652066693:table/swift-demo"
}
]
}

Swift function to create an Identity ID if it does not exist and then obtain credentials for that identity id

This function is equivalent to this command line

aws --region eu-central-1 cognito-identity get-id --identity-pool-id eu-central-1:dc01c701-95c1-4c5a-915f-52bc5a3cdef5 --account-id 486652066693

aws --region eu-central-1 cognito-identity get-credentials-for-identity --identity-id "eu-central-1:177b0c13-d519-43de-b24d-721253d5f133"

func getTempCredentials() async throws -> AWSClientRuntime.AWSCredentialsProvider {
    
    struct InvalidCredentialsError : Error {}
    print("get AWS credentials")
    do {
        let cognitoClient = try CognitoIdentityClient(region: "eu-central-1")
        
        // get a cognito identity id, only one per user and we cache it in user preferences
        var identityId = UserDefaults.standard.string(forKey: "identity-id")
        if identityId == nil {
            let cognitoGetIdRequest = GetIdInput(identityPoolId: "eu-central-1:dc01c701-95c1-4c5a-915f-52bc5a3cdef5")
            let cognitoGetIdResponse = try await cognitoClient.getId(input: cognitoGetIdRequest)
            identityId = cognitoGetIdResponse.identityId
            UserDefaults.standard.setValue(identityId, forKey: "identity-id")
        }
        
        // get aws credentials for that identity
        let cognitoRequest = GetCredentialsForIdentityInput(identityId: identityId)
        let cognitoResponse = try await cognitoClient.getCredentialsForIdentity(input: cognitoRequest)
        
        guard let credentials = cognitoResponse.credentials,
              let accessKeyId = credentials.accessKeyId,
              let secretKey = credentials.secretKey,
              let sessionToken = credentials.sessionToken else {
            print("no credentials returned")
            throw InvalidCredentialsError()
        }
        
        let tempCredentials = AWSCredentialsProviderStaticConfig(accessKey: accessKeyId,
                                                                 secret: secretKey,
                                                                 sessionToken: sessionToken)
        return try AWSClientRuntime.AWSCredentialsProvider.fromStatic(tempCredentials)
    } catch {
        throw error
    }
}

The code can use this credential provider to configure clients:

        let credentialsProvider = try await getTempCredentials()

        print("add item")
        let dynamoDBConfig
            = try DynamoDBClient.DynamoDBClientConfiguration(credentialsProvider: credentialsProvider,
                                                             region: "eu-central-1")
        
        let dynamoDBClient = DynamoDBClient(config: dynamoDBConfig)

@jbelkins jbelkins mentioned this issue Jun 14, 2023
Closed
@jbelkins jbelkins self-assigned this Jun 14, 2023
@jbelkins jbelkins assigned sichanyoo and unassigned jbelkins Aug 14, 2023
@dayaffe
Copy link
Contributor

dayaffe commented Aug 28, 2023

This work will be tracked in Issue #1082

@dayaffe dayaffe closed this as completed Aug 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sebsto @jbelkins @dayaffe @wooj2 @ganeshnj @sichanyoo