我正在使用 OKTA 对用户进行身份验证,然后尝试使用 STS 将我从 OKTA 获得的“access_token”交换为 AWS 凭证。
我的代码如下:
String authenticatedRoleARN = "arn:aws:iam::11111111:role/myapp-dev-ssm-lifecyclehook";
String awsAccountNumber = "22222222";
CognitoAWSCredentials cognitoCredentials
= new CognitoAWSCredentials(awsAccountNumber, "us-east-1:aaa55555-7aaa-4333-9222-4f45555c31b", null, authenticatedRoleARN, RegionEndpoint.USEast1);
Amazon.SecurityToken.AmazonSecurityTokenServiceClient securityTokenServiceClient
= new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(cognitoCredentials);
etSessionTokenRequest sessionTokenRequest = new GetSessionTokenRequest();
sessionTokenRequest.TokenCode = accessToken; //this is the access_token received from OKTA when user is authenticated
sessionTokenRequest.DurationSeconds = 600;
GetSessionTokenResponse sessionTokenResponse = securityTokenServiceClient.GetSessionToken(sessionTokenRequest);
对 GetSessionToken 的调用失败,并出现错误“此身份池不支持未经身份验证的访问”。
任何想法可能导致这种情况和/或我可能做错了什么?
谢谢!!