Login/Register
AWS Amplify uses guest credentials, not authenticated creds, in API requests
Asked Answered
amazon-web-servicesaws-mobilehubaws-amplify
I

4

6

I am using the AWS Amplify library with MobileHub.

I have a Cognito User Pool connected, and an API Gateway (which communicates with Lambda functions). I'd like my users to sign before accessing resources, so I've enabled "mandatory sign-in" in MobileHub User Sign-In page, and the Cloud Logic page.

Authentication works fine, but when I send a GET request to my API, I receive this error:

"[WARN] 46:22.756 API - ensure credentials error": "cannot get guest credentials when mandatory signin enabled"

I understand that Amplify generates guest credentials, and has put these in my GET request. Since I've enabled "mandatory signin", this doesn't work.

But why is it use guest credentials? I've signed in -- shouldn't it use those credentials? How do I use the authenticated user's information?

Cheers.

EDIT: Here is the code from the Lambda function:

lambda function:

import { success, failure } from '../lib/response';
import * as dynamoDb from '../lib/dynamodb';

export const main = async (event, context, callback) => {
    const params = {
        TableName: 'chatrooms',
        Key: {
            user_id: 'user-abc', //event.pathParameters.user_id,
            chatroom_id: 'chatroom-abc',
        }
    };

    try {
        const result = await dynamoDb.call('get', params);
        if (result.Item) { 
            return callback(null, success(result.Item, 'Item found'));
        } else {
            return callback(null, failure({ status: false }, 'Item not found.'));
        }
    } catch (err) {
        console.log(err);
        return callback(null, failure({ status: false }), err);
    }
}

And these small helper functions:

response.js:

export const success = (body, message) => buildResponse(200, body, message)
export const failure = (body, message) => buildResponse(500, body, message)

const buildResponse = (statusCode, body, message=null) => ({
    statusCode: statusCode,
    headers: {
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Credentials": true
    },
    body: JSON.stringify({
        ...body,
        message: message
    })
});

dynamodb.js:

import AWS from 'aws-sdk';

AWS.config.update({ region: 'ap-southeast-2' });

export const call = (action, params) => {
    const dynamoDb = new AWS.DynamoDB.DocumentClient();
    return dynamoDb[action](params).promise();
}
Immiscible answered 12/5, 2018 at 9:16 Comment(5)
Can you post some code of the API gateway call?Presbyopia
I've updated the main post. Some details are hard-coded for debugging. Does AWS require the response to be in a format that I'm not complying to?Immiscible
I would guess that were not authenticated before (even if you thought you were) and when you turned on mandatory authentication you discovered that your API calls were never authenticated. github.com/aws/aws-amplify/blob/master/packages/aws-amplify/src/…Presbyopia
How can I ensure I authenticate? I run Auth.signIn('username', 'password') and I seem to receive the correct object (No errors or anything). Is there another sign-in method I should be performing?Immiscible
I see. There seems to be some options posted here github.com/aws/aws-amplify/issues/432Presbyopia
I
2

I'm following the guide "serverless-stack" and was prompt with the same warning message, I was logging in correctly and logging out correctly and did not understand why the warning message. In my case, in the Amplify.configure I skip to add the identity pool id, and that was the problem, User pools and federated identities are not the same.

(English is not my native language)

Illconditioned answered 30/5, 2018 at 16:37 Comment(0)
T
1

Have you tried checking why your SignIn request is being rejected/error prone? 

Auth.signIn(username, password)
    .then(user => console.log(user))
    .catch(err => console.log(err));

// If MFA is enabled, confirm user signing 
// `user` : Return object from Auth.signIn()
// `code` : Confirmation code  
// `mfaType` : MFA Type e.g. SMS, TOTP.
Auth.confirmSignIn(user, code, mfaType)
    .then(data => console.log(data))
    .catch(err => console.log(err));

You can try this, then it would be easier for you to debug.

Tedman answered 21/5, 2018 at 10:56 Comment(2)
My SignIn request is not rejected, it passes fine and I receive the correct User object. This is why I'm confused -- it's the API call that fails, but the Cognito SignIn works perfectly.Immiscible
The error that you received served only if you have initiated the SignOut call or the Aws amplify library was not able to fetch the data for currentSessionUser. You might give us some of the Authentication code and code for the GET API call then only we can give you a better answer.Tedman
T
0

From the suggestions on the aws-amplify issues tracker, add an anonymous user to your cognito user pool and hard code the password in your app. Seems like there are other options but this is the simplest in my opinion.

Tetrahedral answered 18/5, 2018 at 17:6 Comment(1)
I'm not trying to implement an anonymous user, however. My user has all the details (username, password, email), and I'm trying to log in with that. Am I (possibly) missing a difference between a Cognito user and AWS user?Immiscible
L
0

You have to use your credentials at each request to use AWS Services : (sample code angular)

SignIn :

import Amplify from 'aws-amplify';
import Auth from '@aws-amplify/auth';

 Amplify.configure({
      Auth: {
        region: ****,
        userPoolId: *****,
        userPoolWebClientId: ******,
      }
    });

//sign in

Auth.signIn(email, password)

Request

import Auth from '@aws-amplify/auth';

from(Auth.currentCredentials())
   .pipe(
      map(credentials => {
        const documentClient = new AWS.DynamoDB.DocumentClient({
          apiVersion: '2012-08-10',
          region: *****,
          credentials: Auth.essentialCredentials(credentials)
       });

       return documentClient.query(params).promise()

      }),
      flatMap(data => {
          return data
       })
)
Luker answered 8/8, 2018 at 9:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.