Temporary AWS Credentials with Third Party Identity Provider via STS and Android SDK
Role has been the preferred way to gain access to AWS for mobile apps instead of hard coded credentials. A mobile app can assume a specific role via AWS STS (Security Token Service) in which a temporary AWS credentials will be returned. However, the implementation is not as easy as I thought it would be.
During my implementation time, I found that the documentation was not as clear and ended up spending a lot of time doing trial and error and re-reading articles.
One of my requirements is I don't want to rely on AWS Cognito for identity at all since I already use a third party identity provider. It is, however, possible to use AWS Cognito as a bridge between the mobile app and the third party identity provider. My next requirement is I don't want to use AWS Amplify. AWS pushes Amplify usage very hard and it is indeed very easy to use, but I'm not too fond of the level of abstraction for my application. Another requirement is if possible, I want to use SDK instead of manually making a REST call.
With those requirements in mind, I went to look for the documentation. My first meaningful documentation is the following article about AssumeRoleWithWebIdentity:
In that section, AWS recommends AWS Cognito and nowhere obvious can I find what to do if I don't want to use it. After missing it a few times, the link that says AmazonSTSCredentialsProvider at the end of the section gives a clue and it leads to the following blog post:
Although the blog says for iOS, it is also applicable to Android.
After rummaging through the API reference, AmazonSTSCredentialsProvider has many implementations, in which the one applicable to my case is the WebIdentityFederationSessionCredentialsProvider since it takes a token from third party identity provider and roleArn.
At this point, it is still not clear on what I need to do to be able to use the class above.
After few more online searches, I found the articles below to be helpful:
Eventually, the articles above lead to the article that helps me setup the whole thing:
To make it work, few things I need to do:
- Create a role and note the ARN
- Create an IAM Identity Provider entity. The link can be found in the IAM console page.
- Set the role's Trust relationship with the Identity Provider as the trusted entity
- On the mobile app, I use the following code:
- At first, I made a mistake by providing an access token. It threw an error that it can't find iat property. When I switched to use id token, it managed to retrieve the temporary credentials which I then used to successfully to make an API call. For example, DynamoDB API call:
In conclusion, my code in Kotlin that works is:
val wif = WebIdentityFederationSessionCredentialsProvider(
idToken,
null,
roleArn)
val dynamoDBClient = AmazonDynamoDBClient(wif)
dynamoDBClient.setRegion(Region.getRegion(region))
val scanRequest = ScanRequest(tableName)
Comments
Post a Comment