AWS错误消息：未授权执行sts：AssumeRoleWithWebIdentity

Question

我正在通过AWS的Android SDK示例代码工作。我有S3_WIF_PersonalFileStore工作。但我有一个错误，我无法在DynamoDB_WIF_UserPreference示例中修复。我认为问题在于信任关系。但我正在使用相同的值，并使用适当的值更改，作为我工作的S3_WIF_PersonalFileStore。

我的代码成功建立了与Facebook的会话，然后抛出以下错误：

04-03 09：42：15.949：E /（5161）：com.amazonaws.AmazonServiceException：状态代码：403，AWS服务：AWSSecurityTokenService，AWS请求ID：c41b700e-bb35-11e3-94ad-830da8959736，AWS错误代码：AccessDenied，AWS错误消息：无权执行sts：AssumeRoleWithWebIdentity

wif.refresh（）会抛出此错误。

我非常感谢有关如何进一步诊断此问题的任何想法。

由于

杰夫

来自IAM控制台的

我的信任关系政策：

{   ＆＃34;版本＆＃34;：＆＃34; 2012-10-17＆＃34;，   ＆＃34;陈述＆＃34;：[     {       ＆＃34; Sid＆＃34;：＆＃34;＆＃34;，       ＆＃34;效果＆＃34;：＆＃34;允许＆＃34;，       ＆＃34;校长＆＃34;：{         ＆＃34;联邦＆＃34;：＆＃34; graph.facebook.com＆＃34;       }，       ＆＃34;行动＆＃34;：＆＃34; sts：AssumeRoleWithWebIdentity＆＃34;，       ＆＃34;条件＆＃34;：{         ＆＃34; StringEquals＆＃34;：{           ＆＃34; graph.facebook.com：app_id＆＃34;：＆＃34; 486879244768576＆＃34;         }       }     }   ] }

来自IAM控制台的

我的角色权限策略 {     ＆＃34;版本＆＃34;：＆＃34; 2012-10-17＆＃34;，     ＆＃34;陈述＆＃34;：[         {             ＆＃34;效果＆＃34;：＆＃34;允许＆＃34 ;,             ＆＃34;动作＆＃34;：＆＃34; dynamodb：＆＃34 ;,             ＆＃34;资源＆＃34;：＆＃34; ＆＃34;         }     ] }

strings.xml中的相关值： 486879244768576     ARN：AWS：IAM :: 532776582086：角色/ DynamoFbUserPrefExample

我的代码 wif.refresh（）会抛出错误。除了添加一些日志记录之外，我正在运行AWS的示例代码。

package com.amazonaws.demo.userpreferences;

import android.app.Activity;
import android.content.SharedPreferences;
import android.os.AsyncTask;
import android.os.Bundle;
import android.util.Log;

import com.amazonaws.AmazonServiceException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.WebIdentityFederationSessionCredentialsProvider;
import com.amazonaws.regions.Region;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient;

/**
  * This class is used to get clients to the various AWS services. Before
  * accessing a client the credentials should be checked to ensure validity.
 */
 public class AmazonClientManager {

private static final String LOG_TAG = "AmazonClientManager";

private AmazonDynamoDBClient ddb = null;
private SharedPreferences sharedPreferences = null;

private WebIdentityFederationSessionCredentialsProvider wif = null;
private WIFIdentityProvider idp = null;

private String fbRoleARN = null;
private String googleRoleARN = null;
private String amazonRoleARN = null;
private String googleClientID = null;

public AmazonClientManager(SharedPreferences settings, Bundle bundle) {
    this.sharedPreferences = settings;
    if(PropertyLoader.getInstance().hasCredentials()){
        this.initWithEmbeddedCredentials();
    }
    fbRoleARN = bundle.getString("FBRoleARN");
    googleRoleARN = bundle.getString("GoogleRoleARN");
    amazonRoleARN = bundle.getString("AMZNRoleARN");
    googleClientID = bundle.getString("GoogleClientID");
}

public AmazonDynamoDBClient ddb() {
    return ddb;
}

public boolean hasCredentials() {
    if (PropertyLoader.getInstance().hasCredentials()){
        return true;
    }
    return !(fbRoleARN.equals("ROLE_ARN") && googleRoleARN.equals("ROLE_ARN") && amazonRoleARN.equals("ROLE_ARN"));
}

public boolean isLoggedIn() {
    return ( ddb != null );
}

public void clearCredentials() {

    synchronized (this) {
        AmazonSharedPreferencesWrapper.wipe(this.sharedPreferences);
        ddb = null;
    }
}

public boolean wipeCredentialsOnAuthError(AmazonServiceException ex) {
    if (
            // STS
            // http://docs.amazonwebservices.com/STS/latest/APIReference/CommonErrors.html
            ex.getErrorCode().equals("IncompleteSignature")
            || ex.getErrorCode().equals("InternalFailure")
            || ex.getErrorCode().equals("InvalidClientTokenId")
            || ex.getErrorCode().equals("OptInRequired")
            || ex.getErrorCode().equals("RequestExpired")
            || ex.getErrorCode().equals("ServiceUnavailable")

            // DynamoDB
            // http://docs.amazonwebservices.com/amazondynamodb/latest/developerguide/ErrorHandling.html#APIErrorTypes
            || ex.getErrorCode().equals("AccessDeniedException")
            || ex.getErrorCode().equals("IncompleteSignatureException")
            || ex.getErrorCode().equals(
                    "MissingAuthenticationTokenException")
                    || ex.getErrorCode().equals("ValidationException")
                    || ex.getErrorCode().equals("InternalFailure")
                    || ex.getErrorCode().equals("InternalServerError")) {

        clearCredentials();

        return true;
    }

    return false;
}


public void login( WIFIdentityProvider wifIDP, final AlertActivity activity ) {
    idp = wifIDP;


    Log.i(LOG_TAG,"token: "+idp.getToken());
    Log.i(LOG_TAG,"provider: "+idp.getProviderID());
    Log.i(LOG_TAG,"arn: "+idp.getRoleARN());

    wif = new WebIdentityFederationSessionCredentialsProvider(idp.getToken(),idp.getProviderID(), idp.getRoleARN()); 

    //call refresh to login from an AsyncTask because refreshing requires the network
    new AsyncTask<Void, Void, Throwable>() {
        @Override
        protected Throwable doInBackground(Void... arg0) {

            try {
                wif.refresh();  // ERROR ORIGINATES HERE
            } catch (Throwable t) {
                return t;
            }
            return null;
        }

        @Override
        protected void onPostExecute(Throwable t) {
            if (t != null) {
                Log.e(LOG_TAG, "Unable to login.", t);
                activity.setResult(Activity.RESULT_CANCELED);
                activity.setStackAndPost(t);
            } else {
                ddb = new AmazonDynamoDBClient( wif );
                ddb.setRegion(Region.getRegion(Regions.US_WEST_2));
                AmazonSharedPreferencesWrapper.storeUsername(sharedPreferences, wif.getSubjectFromWIF());
                Log.d(LOG_TAG, "Logged in with user id " + wif.getSubjectFromWIF());
                activity.setResult(Activity.RESULT_OK);
            }
            activity.finish();
        }
    }.execute();
}

private void initWithEmbeddedCredentials(){
    if (ddb == null){
        AWSCredentials credentials = new BasicAWSCredentials( PropertyLoader.getInstance().getAccessKeyID(), PropertyLoader.getInstance().getSecretKey());

        ddb = new AmazonDynamoDBClient( credentials );
        ddb.setRegion(Region.getRegion(Regions.US_WEST_2));
        Log.d(LOG_TAG, "Logged in with embedded credentials");
    }
}


public String getUsername() {
    return AmazonSharedPreferencesWrapper.getUsername( this.sharedPreferences );
}

public String getAmazonRoleARN() {
    return amazonRoleARN;
}

public String getGoogleRoleARN() {
    return googleRoleARN;
}

public String getFacebookRoleARN() {
    return fbRoleARN;
}

public String getGoogleClientID() {
    return googleClientID;
}
public void wipe() {
    AmazonSharedPreferencesWrapper.wipe( this.sharedPreferences );
}
}