Can I use my Cognito credentials to authenticate against AWS services using the AWS SDK for .NET?

Question

I want to download files from S3 buckets to a Windows machine using a Cognito user.

I've created a user pool, created a new demo user and also created an app client with the authorization code flow enabled. Afterwards, I created a new role which just gives full access to the AWS S3 service, assigned this role to a group and assigned my demo user to this group.

In my .NET 8 app, I open the web browser, redirects the user to the Cognito login page & redirect back to the web server of the app. With the gathered authorization code I then get an OAuth 2.0 token.

I now need to assume a role using the secure token service providing my OAuth 2.0 credentials & then receive AWS credentials which then can be used to call S3 using the SDK.

I'm using the AmazonSecurityTokenServiceClient, But I get the error:

Unable to get IAM security credentials from EC2 Instance Metadata Service

How does the EC2 service come into play?

What's the issue with the AmazonSecurityTokenServiceClient?

And, how can I access S3 using my Cognito credentials??

This is my code:

// Get AWS credentials using the identity pool
AmazonSecurityTokenServiceClient securityTokenServiceClient = new AmazonSecurityTokenServiceClient(RegionEndpoint.EUNorth1);
AssumeRoleWithWebIdentityResponse roleResponse = await securityTokenServiceClient.AssumeRoleWithWebIdentityAsync(new AssumeRoleWithWebIdentityRequest()
{
    WebIdentityToken = tokenResponse?.IdToken,
    RoleArn = "arn:aws:iam::1234:role/cognito-demo-bucket",
    RoleSessionName = "demo"
});

_logger.LogTrace("Access key: {awsCredentials}\nSecret access key: {secretAccessKey}", roleResponse.Credentials.AccessKeyId, roleResponse.Credentials.SecretAccessKey);

Answer 1

How does the EC2 service come into play?

The reason you get Unable to get IAM security credentials from EC2 Instance Metadata Service is due to how the AWS SDK for .NET searches for credentials.

The default credentials provider chain for the .NET SDK searches for credentials in a specific order, one by one. If all else fails, currently, the final place the credentials provider looks at is:

8. Amazon EC2 instance metadata.

Since the .NET SDK can't find any credentials anywhere for your application in the other 7 locations, its final attempt is at loading them from the EC2 instance metadata endpoint under the metadata item iam/security-credentials/{role-name}.

Since you're not running on an EC2 instance, that also fails and the SDK errors out with the above error message - basically saying: I can't find any credentials anywhere.

---

What's the issue with the AmazonSecurityTokenServiceClient?

The AmazonSecurityTokenServiceClient in this case does not need any AWS credentials. It is being used to call the AssumeRoleWithWebIdentity operation, which exchanges the Cognito ID token for temporary AWS credentials.

As per docs:

Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials.

Therefore, you need to tell the AWS SDK to not sign the request.

For the .NET SDK, you can do this by using the AnonymousAWSCredentials class:

using Amazon;
using Amazon.Runtime;
using Amazon.SecurityToken;

var anonymousCredentials = new AnonymousAWSCredentials();
var stsClient = new AmazonSecurityTokenServiceClient(anonymousCredentials, RegionEndpoint.EUWest1);

---

And, how can I access S3 using my Cognito credentials?

Use SessionAWSCredentials; for Amazon S3, here's a full working, minimal example that lists the objects in a bucket:

using Amazon;
using Amazon.Runtime;
using Amazon.S3;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;

var anonymousCredentials = new AnonymousAWSCredentials();
var stsClient = new AmazonSecurityTokenServiceClient(anonymousCredentials, RegionEndpoint.EUWest1);

var assumeRoleResponse = await stsClient.AssumeRoleWithWebIdentityAsync(new AssumeRoleWithWebIdentityRequest
{
    RoleArn = "arn:aws:iam::1234:role/cognito-demo-bucket",
    RoleSessionName = "xxx",
    WebIdentityToken = "yyy"
});

var assumedCredentials = new SessionAWSCredentials(
    assumeRoleResponse.Credentials.AccessKeyId,
    assumeRoleResponse.Credentials.SecretAccessKey,
    assumeRoleResponse.Credentials.SessionToken
);

var s3Client = new AmazonS3Client(assumedCredentials);

var bucketName = "xyz";
var listObjectsResponse = await s3Client.ListObjectsAsync(bucketName);