AWS Certified Developer – Associate — Question 127

A new mobile app uses Amazon Cognito web identity federation. Immediately after a user logs in, the following error occurs:

AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity

A developer determines that the Amazon Cognito configuration appears to be correct.

Which of the following could be the cause of the error?

Answer options

• A. The app’s developer incorrectly defined the authenticated principal role access policy.
• B. The app could not confirm the user in the user pool.
• C. The app could not properly authenticate the user with the identity provider.
• D. The app’s developer incorrectly defined the authenticated principal role trust policy.

Correct answer: D

Explanation

The correct answer is D because an improperly defined trust policy for the authenticated principal role can prevent the user from assuming the role, leading to access denial. Options A, B, and C are less likely because the problem specifically relates to the permissions required for sts:AssumeRoleWithWebIdentity, which is directly tied to the trust policy.