Jaidyn Belbin Jaidyn Belbin - 1 year ago 82
Android Question

Issue signing into Amazon S3 with Google Sign-in on Android

I'm building an Android app that connects to an Amazon S3 bucket and retrieves mp3 files stored within. This is my first time using Google Sign-in, and it's for a (hopefully) production app, and I want to do it properly.

I've followed all the directions here and have successfully received an ID Token by calling


I have then used Amazon's directions for OpenID Connect providers here and used this code:

// Initializing the Amazon Cognito credentials provider

CognitoCachingCredentialsProvider credentialsProvider = new CognitoCachingCredentialsProvider (
"us-east-1:220fe85c-fcc9-4ecc-b923-1357e1380fde", // Example Identity Pool ID
Regions.US_EAST_1 // Example Region

Map<String, String> logins = new HashMap<String, String>();
logins.put("accounts.google.com", idToken);

to login. However, nothing is showing up in my Identity Pool. I'm wondering whether it's some confusion on my part in regards to which Client ID I am using. When I created the project on the Google Developer console, I received two ID's. One for a Web Application, and one for Android.

As per Google's instructions here, I passed the Web client ID to the
method when I created the
object, and the Android ID to the Identity Pool, like this:

enter image description here

I removed all the other numbers after the hyphen, as the example calls for a smaller ID, but for the record, neither version works. The original was like:


Except when I test my app, It seems to be successful, no errors are thrown, but no new identities are logged in my identity pool.

What am I missing? I would really appreciate a nudge in the right direction.

Answer Source

Okay, I solved it finally; there were a few things I missed.

Firstly, as Jeff Bailey mentioned, I wasn't calling credentialsProvider.refresh() after I had set the login token, like this:

private void setCredentials(String token) {

        Map<String, String> logins = new HashMap<>();
        logins.put("accounts.google.com", token);

However, that method requires a network request, so that had to be called from an Async task.

Secondly, I used different code to get an ID token from Google, instead of GoogleSignInAccount.getIdToken. See below:

private class GetAndSetGoogleToken extends AsyncTask<Void, Void, String> {

        protected String doInBackground(Void... params) {

            try {


                AccountManager am = AccountManager.get(getApplicationContext());
                Account[] accounts = am.getAccountsByType(GoogleAuthUtil.GOOGLE_ACCOUNT_TYPE);

                token = GoogleAuthUtil.getToken(getApplicationContext(), accounts[0].name,
                        "audience:server:client_id:" + serverClientId);

            } catch(GoogleAuthException ex) {
                Log.d(TAG, "GoogleAuthException has been thrown by GetAndSetGoogleToken!");

            } catch(IOException ex2) {

                Log.d(TAG, "IOException has been thrown by GetAndSetGoogleToken!");

            return token;

        protected void onPostExecute(String token) {

            // Passing the ID Token as an Extra to the Intent and starting a new Activity.


Finally, I hadn't modified my IAM Trust Policies to recognise accounts.google.com as a trusted entity. Once doing so, they looked like this:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": [
          "accounts.google.com" // I needed to add this
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:xxxx2e4a-4cf6-4121-aa16-xxxx53374a49"
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"

Having done all that, it worked fine.

Hope this helps someone; it doesn't seem to be a well documented use-case unfortunately.