An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Provided Token is not a Login With Amazon token

Question

I do POST request to sts AssumeRoleWithWebIdentity to get the access_key, secret_key and token of OIDC(OpenID Connect) using curl command for china region which returns the below error.

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Provided Token is not a Login With Amazon token.

curl -v -X POST 'https://sts.cn-northwest-1.amazonaws.com.cn/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleSessionName=app1&RoleArn=<ROLE_ARN>&WebIdentityToken=<TOKEN>&Version=2011-06-15&&ProviderId=www.amazon.com'

score 4 · Answer 1 · answered Jan 13 '21 at 09:17

After spending few days i found that it is working without ProviderId. The curl URL works without ProviderID, The ProvideId shall be included only incase of OAuth2.0 access tokens not for OPenID Connect.

Aws documentation: AssumeRoleWithWebIdentity Provider The issuing authority of the web identity token presented. For OpenID Connect ID tokens, this contains the value of the iss field. For OAuth 2.0 access tokens, this contains the value of the ProviderId parameter that was passed in the AssumeRoleWithWebIdentity request.

curl -v -X POST 'https://sts.cn-northwest-1.amazonaws.com.cn/?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&RoleSessionName=app1&RoleArn=<ROLE_ARN>&WebIdentityToken=<TOKEN>&Version=2011-06-15&'

score 0 · Answer 2 · answered Jun 13 '23 at 19:23

0

It is happening on our site right now and the cause seems to be AWS being down. :)

answered Jun 13 '23 at 19:23

Akaisteph7

5,034
2
20
43

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Provided Token is not a Login With Amazon token

2 Answers2