From 4bcdd9a34c90f5782d48a7c113d1571535a6d625 Mon Sep 17 00:00:00 2001 From: Ran Vaknin <50976344+RanVaknin@users.noreply.github.com> Date: Wed, 12 Jun 2024 13:37:20 -0700 Subject: [PATCH] =?UTF-8?q?docs(cognito=5Fidentity=5Fcredentials):=20Expla?= =?UTF-8?q?in=20limitation=20of=20CognitoIden=E2=80=A6=20(#4455)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * docs(cognito_identity_credentials): Explain limitation of CognitoIdentityCredentials This method uses the simplified authflow, which means users cannot explicitly set a session policy. This results in STS appending the Default Session Policy to the request, which can lead to limiting permissions even if they are explicitly attached to a role. * Update cognito_identity_credentials.js * Update lib/credentials/cognito_identity_credentials.js * Update lib/credentials/cognito_identity_credentials.js --------- Co-authored-by: George Fu --- lib/credentials/cognito_identity_credentials.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/credentials/cognito_identity_credentials.js b/lib/credentials/cognito_identity_credentials.js index 6208f614b7..c9c7b3db59 100644 --- a/lib/credentials/cognito_identity_credentials.js +++ b/lib/credentials/cognito_identity_credentials.js @@ -23,6 +23,15 @@ var STS = require('../../clients/sts'); * identity providers. See {constructor} for an example on creating a credentials * object with proper property values. * + * DISCLAIMER: This convenience method leverages the Enhanced (simplified) Authflow. The underlying + * implementation calls Cognito's `getId()` and `GetCredentialsForIdentity()`. + * In this flow there is no way to explicitly set a session policy, resulting in + * STS attaching the default policy and limiting the permissions of the federated role. + * To be able to explicitly set a session policy, do not use this convenience method. + * Instead, you can use the Cognito client to call `getId()`, `GetOpenIdToken()` and then use + * that token with your desired session policy to call STS's `AssumeRoleWithWebIdentity()` + * For further reading refer to: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html + * * ## Refreshing Credentials from Identity Service * * In addition to AWS credentials expiring after a given amount of time, the