How to use AssumeRoleWithWebIdentity after calling GetOpenIdTokenForDeveloperIdentity

[gaetanDubuc]

Hello everyone,

I'm trying the golang sdk and i would like to get a thing shadow. I am following the basic authentication flow.

I created an identity pool associated to a role with [AWSIoTFullAccess](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSIoTFullAccess) policy.

• I use GetOpenIdTokenForDeveloperIdentity to get an OpenID from my backend.
• AssumeRoleWithWebIdentity to get temporary credentials.
• GetThingShadow to get the shadow.

However i'm facing the following error when i am calling GetThingShadow: https response error StatusCode: 403, RequestID: ..., api error ForbiddenException: UnknownError.

Here is my script that i use to call GetThingShadow from iotdataplane.

package cognito

import (
	"context"
	"fmt"
	"os"
	"testing"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/service/cognitoidentity"
	"github.com/aws/aws-sdk-go-v2/service/iotdataplane"
	"github.com/aws/aws-sdk-go-v2/service/sts"
	"github.com/aws/aws-sdk-go-v2/service/sts/types"
	"github.com/stretchr/testify/assert"
)

type CredentialsProvider struct {
	Creds aws.Credentials
}

// Retrieve returns nil if it successfully retrieved the value.
// Error is returned if the value were not obtainable, or empty.
func (c CredentialsProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
	return c.Creds, nil
}

type CredentialsProviderV2 struct {
	dev *cognitoidentity.GetOpenIdTokenForDeveloperIdentityOutput
}

// Retrieve returns nil if it successfully retrieved the value.
// Error is returned if the value were not obtainable, or empty.
func (c CredentialsProviderV2) Retrieve(ctx context.Context) (aws.Credentials, error) {
	region, _ := os.LookupEnv("Region")

	options := sts.Options{Region: region}
	stsClient := sts.New(options)
	role, _ := os.LookupEnv("Role")
	roleSessionName := "gorest"

	var duration int32 = 3900
	stsInput := sts.AssumeRoleWithWebIdentityInput{RoleArn: &role, DurationSeconds: &duration, RoleSessionName: &roleSessionName, WebIdentityToken: c.dev.Token,
		PolicyArns: []types.PolicyDescriptorType{
			{Arn: aws.String("arn:aws:iam::aws:policy/AWSIoTFullAccess")},
		}}

	stsOutput, err := stsClient.AssumeRoleWithWebIdentity(ctx, &stsInput)

	return aws.Credentials{AccessKeyID: *stsOutput.Credentials.AccessKeyId, SecretAccessKey: *stsOutput.Credentials.SecretAccessKey, SessionToken: *stsOutput.Credentials.SessionToken, CanExpire: true, Expires: *stsOutput.Credentials.Expiration}, err
}

func TestAwsGetThingShadow(t *testing.T) {
	ctx := context.Background()
	region, _ := os.LookupEnv("Region")
	accessKeyID, _ := os.LookupEnv("AccessKeyID")
	secretAccessKey, _ := os.LookupEnv("SecretAccessKey")
	developerProvider, _ := os.LookupEnv("DeveloperProvider")
	identityPoolId, _ := os.LookupEnv("IdentityPoolId")
	thingName, _ := os.LookupEnv("ThingName")

	conf := aws.Config{Region: region, Credentials: CredentialsProvider{Creds: aws.Credentials{AccessKeyID: accessKeyID, SecretAccessKey: secretAccessKey}}}

	cognitoIdentityClient := cognitoidentity.NewFromConfig(conf)
	logins := map[string]string{developerProvider: "user"}
	input := cognitoidentity.GetOpenIdTokenForDeveloperIdentityInput{IdentityPoolId: &identityPoolId, Logins: logins}
	developerIdentityOutput, err := cognitoIdentityClient.GetOpenIdTokenForDeveloperIdentity(ctx, &input)

	conf2 := aws.Config{Region: region, Credentials: CredentialsProviderV2{dev: developerIdentityOutput}}
	// Use the credentials to make API requests
	// For example, you can create an IoT Data Plane client:
	iotClient := iotdataplane.NewFromConfig(conf2)

	_, err = iotClient.GetThingShadow(ctx, &iotdataplane.GetThingShadowInput{
		ThingName: &thingName,
	})

	fmt.Print(err)
	assert.Nil(t, err)
}

If someone can help me that would be great! Thank!

[gaetanDubuc]

Ok, i found you need to use AttachPolicy from iot to attach your iot policy to your new user.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.