Getting AWS credentials using cognito in python boto

I am trying to mimic the flow of my server application by generating a temporary access / secret key pair for a mobile device using my own authentication. The mobile device talks to my server and as a result it gets AWS credentials.

I am using Cognito with a dedicated developer backend, see the documentation here .

To this end, I made the script below, but my private / secret access keys are not working:

import time
import traceback 
from boto.cognito.identity.layer1 import CognitoIdentityConnection
from boto.sts import STSConnection
from boto.s3.connection import S3Connection
from boto.s3.key import Key


AWS_ACCESS_KEY_ID = "XXXXX"
AWS_SECRET_ACCESS_KEY = "XXXXXX"


# get token
iden_pool_id = "us-east-1:xxx-xxx-xxx-xxxx-xxxx"
role_arn = "arn:aws:iam::xxxx:role/xxxxxxx"
user_id = "xxxx"
role_session_name = "my_session_name_here"
bucket_name = 'xxxxxxxxxx'


connection = CognitoIdentityConnection(aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY)

web_identity_token = connection.get_open_id_token_for_developer_identity(
    identity_pool_id=iden_pool_id, 
    logins={"xxxxxxxxx" : user_id}, 
    identity_id=None, 
    token_duration=3600)


# use token to get credentials
sts_conn = STSConnection(aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY)
result = sts_conn.assume_role_with_web_identity(
    role_arn, 
    role_session_name, 
    web_identity_token['Token'], 
    provider_id=None, 
    policy=None, 
    duration_seconds=3600)

print "The user now has an access ID (%s) and a secret access key (%s) and a session/security token (%s)!" % (
    result.credentials.access_key, result.credentials.secret_key, result.credentials.session_token)

# just use any call that tests if these credentials work
from boto.ec2.connection import EC2Connection
ec2 = EC2Connection(result.credentials.access_key, result.credentials.secret_key, security_token=result.credentials.session_token)
wait = 1
cumulative_wait_time = 0
while True:
    try:
        print ec2.get_all_regions()
        break
    except Exception as e:
        print e, traceback.format_exc()
        time.sleep(2**wait)
        cumulative_wait_time += 2**wait
        print "Waited for:", cumulative_wait_time
        wait += 1

      

        
        
        
      

    

My thought, with exponential backtracking, was that perhaps Cognito takes some time to propagate a new access / secret key pair, and so I might have to wait (rather unacceptable if so!).

However, this script runs for 10 minutes and fails, which makes me think the problem is something else.

Console printout:

The user now has an access ID (xxxxxxxx) and a secret access key (xxxxxxxxxx) and a session/security token (XX...XX)!

EC2ResponseError: 401 Unauthorized
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>xxxxxxxxxx</RequestID></Response> Traceback (most recent call last):
  File "/home/me/script.py", line 50, in <module>
    print ec2.get_all_regions()
  File "/home/me/.virtualenvs/venv/local/lib/python2.7/site-packages/boto/ec2/connection.py", line 3477, in get_all_regions
    [('item', RegionInfo)], verb='POST')
  File "/home/me/.virtualenvs/venv/local/lib/python2.7/site-packages/boto/connection.py", line 1186, in get_list
    raise self.ResponseError(response.status, response.reason, body)
EC2ResponseError: EC2ResponseError: 401 Unauthorized
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>xxxxxxxxxxxxx</RequestID></Response>

Waited for: 2
...
...

      

        
        
        
      

    

Any thoughts?