How to Assume a Cross-Account Role for Cognito?

Question

• I have a Cognito userpool on AWS account acc-1, and a Java code running on acc-2, which authenticates using "adminInitiateAuth", and for some reasons, I cannot use clientInitiateAuth.
• I have created a cross-account role on acc-1, to be assumed by my Java code on acc-2

Question: How can I assume the role when I am sending an authentication request to Cognito? Is it possible to use withRoleArn() ?

I came across this page, which explains how to "Configure cross-account Amazon Cognito authorizer for a REST API using the API Gateway console". But it is not what I am trying to do.

My Code:

    protected AdminInitiateAuthRequest createInitialRequest(String username, String password) {
        Map<String, String> authParams = new HashMap<>();
        authParams.put("USERNAME", username);
        authParams.put("PASSWORD", password);

        return new AdminInitiateAuthRequest()
                .withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH)
                .withAuthParameters(authParams)
                .withClientId(whoAmIService.getCognitoClientId())
                .withUserPoolId(whoAmIService.getCognitoPoolId());
    }

protected boolean isAuthenticatedByCognito(String username, String password) {
        AWSCognitoIdentityProvider awsCognitoIDPClient = createCognitoIDPClient();
        AdminInitiateAuthRequest authRequest = createInitialRequest(username, password);

        try {
            AdminInitiateAuthResult authResponse = awsCognitoIDPClient.adminInitiateAuth(authRequest);
            AuthenticationResultType authenticationResultType = authResponse.getAuthenticationResult();
            String cognitoAccessToken = authenticationResultType.getAccessToken();
            whoAmIService.setCognitoAccessToken(cognitoAccessToken);

            Map<String, String> challengeParams = authResponse.getChallengeParameters();
            String cognitoUserIdForSrp = challengeParams.get("USER_ID_FOR_SRP");
            String cognitoUserAttributes = challengeParams.get("userAttributes");
            logger.debug("Cognito authenticated user ID: {} with user attributes: {}"
                    , cognitoUserIdForSrp, cognitoUserAttributes);
            return true;
        } catch (NotAuthorizedException nae) {
            logger.error("Invalid Cognito username/password provided for {}", username);
            return false;
        } catch (AWSCognitoIdentityProviderException acipe) {
            logger.error("Base exception for all service exceptions thrown by Amazon Cognito Identity Provider", acipe);
            return false;
        }
    }

Answer 1

I found how to do it using STS. Change this line:

AWSCognitoIdentityProvider awsCognitoIDPClient = createCognitoIDPClient();

to:

String roleARN= "YOUR_CROSS_ACCOUNT_ROLE_ARN";
String roleSessionName = "GIVE_A_SESSION_NAME";
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder
        .standard()
        .withCredentials(new ProfileCredentialsProvider())
        .build();
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
        .withRoleArn(roleARN)
        .withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
        sessionCredentials.getAccessKeyId(),
        sessionCredentials.getSecretAccessKey(),
        sessionCredentials.getSessionToken());
AWSCognitoIdentityProvider cognitoIPCB = AWSCognitoIdentityProviderClientBuilder
        .standard()
        .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
        .build();