Alexa Account Linking with Cognito

Question

You would think two of Amazon's products would integrate nicely together. You'd also think that Amazon would have proper documentation on their services. Both are horribly wrong.

I'm using Account Linking with Alexa and using AWS Cognito as my oauth provider. I am able to successfully link my account just fine, and with every subsequent alexa invocation I get an access token returned back to me. Now what?

I need to be able to access other AWS services such as dynamo, lambda, and iot from my alexa lambda function. Thought it would be as easy as something like this:

var accessToken = event.session.user.accessToken;
var params = {
    IdentityPoolId: "{identity_pool_id}",
    Logins : {
        'cognito-idp.us-east-1.amazonaws.com/{user_pool_id}' : accessToken
    }
};

AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials(params);
    AWS.config.credentials.get(function(err) {
    if (err) {
        console.log(err);
    } else {
        console.log('success');
        console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);
    }
});

But of course it's not that simple. Can anyone help me out?

Answer 1

You need to assign appropriate "Policies" for the created "Role" under IAM. All of the AWS services works on policy based access permissions and these must be explicitly attached with the IAM role for that role to be able to access/run the underlying service on the behalf of that user role.

In summary you need to assign policies from IAM related to "IOT", "DynamoDB", "Lambda", etc.