Error Description: 'Missing principal parameter'

Help
, , ,
1

Hi,
We are experiencing an issue, but only in one of Auth0/AWS implementations.
We have 2 separate Auth0 accounts and 2 separate clients. (one is basically a test account that was set up for a dev environment).

Oddly, in our dev environment, our AWS delegation works perfectly and no errors are returned. However, in our main environment, it seems that the below function which calls Auth0’s getDelegationToken() method to return AWS credentials, is returning the error: ‘Missing principal parameter’

function getAWSDelegationToken() {
    var auth0 = new Auth0({
        clientID: bcc.config.auth.id,
        domain: bcc.config.auth.domain,
        callbackURL: ''
    });
    
    var options = {
        id_token: bcc.config.api.token,
        api: 'aws',
        role: bcc.config.aws.iam_role_arn,
        principal: bcc.config.aws.iam_provider_arn
    };
    
    auth0.getDelegationToken(options, function(err,delegationResult) {
        if (!err){
            // AWS credentials located in delegationResult.Credentials
            bcc.trigger(bcc.events.AWS_CREDENTIALS_READY, {delegationResult: delegationResult});
        } else {
             console.log(err);
        }
    });
}

You can see that ‘principal’ is being assigned to the ‘options’ Object (and in this case set to a global config variable) - but I have confirmed that it does point to an AWS IAM Provider ARN.

I am loading the following version of Auth0 into my JS:
https://cdn.auth0.com/w2/auth0-7.6.1.min.js

Please let me know if there’s any other information you might need and thanks for any help you are able to provide !
-Mikey

2

The delegation endpoint that Auth0.js v7 would be calling is not documented to accept the role and principal parameters you’re passing so even though you’re passing them from the client they are likely not making any difference. I confess I never used the AWS addon, but I was under the impression that the configuration of role and principal would be done through rules and in this case this could explain the difference you’re observing as one account could be performing the necessary configuration through a rule and the other was not.

3

That could make sense, the implementation that isn’t working is for a client who hasn’t given me access to their Auth0/AWS accounts. It’s been tough to figure out what exactly is not configured correctly within the client’s settings, but I have been doing my best to work with them to try and get both their Auth0 & AWS settings 1:1 with my own dev environment.

I’ll check with them and make sure they have set up the correct Rules on Auth0. Thanks for the input!

4

That could make sense, the implementation that isn’t working is for a client who hasn’t given me access to their Auth0/AWS accounts. It’s been tough to figure out what exactly is not configured correctly within the client’s settings, but I have been doing my best to work with them to try and get both their Auth0 & AWS settings 1:1 with my own dev environment.

I’ll check with them and make sure they have set up the correct Rules on Auth0. Thanks for the input!