How To Set OIDC Provider For AWSAssumeRoleWebIdentity

I am developing an android app which uses firebase authentication for signin and uses AWS S3 and dynamodb for managing data/images. I am trying to delegate an access to AWS resource via AWSAssumeRoleWebIdentity. The reason I am doing this is AWS Sign-In UI does not allow enough customization for UI and UI flow. I decided to use firebase authentication only for sign-in and sign-up.

Please find the source code and OIDC Provider setting. With them the error log is

No OpenIDConnect provider found in your account for[project-name] (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken; Request ID: 37607060-9e1c-11e8-8ae0-636eae27c3bf)

Identity Provider of AWS IAM has been created with the name of "[my-project-name]/" with the Thumbprint that I created referring to [1] and OAuth 2.0 client IDs obtained in Credentials of Google Cloud Service API & Services.

The source code is shown below.

public void uploadImageFile() {
    CustomLog.logI("start of uploadImageFile");


private void setIDToken() {
    FirebaseUser mUser = FirebaseAuth.getInstance().getCurrentUser();
    // To get ID Token of the user authenticated by google authentication
            .addOnCompleteListener(new OnCompleteListener<GetTokenResult>() {
                public void onComplete (@NonNull Task< GetTokenResult > task) {
                    if (task.isSuccessful()) {
                        // Token information is set to mIDToken of the global variable
                        mIDToken = task.getResult().getToken();
                        AsyncTaskForAssumeRole asyncTaskForAssumeRole = new AsyncTaskForAssumeRole();
                    } else {

public class AsyncTaskForAssumeRole extends AsyncTask<Void, Void, BasicSessionCredentials> {

    protected BasicSessionCredentials doInBackground(Void... params) {
        try {
            // set credentials from AssumeRoleWithWebIdentity
            BasicSessionCredentials credentials = setAssumeRoleWithWebIdentity();
            return credentials;
        } catch (Exception e) {
            return null;

    protected void onPostExecute(BasicSessionCredentials credentials) {

        // upload file with S3 connection


private BasicSessionCredentials setAssumeRoleWithWebIdentity(){
    CustomLog.logD("start of setAssumeRoleWithWebIdentity");
    String ROLE_ARN = [my role arn];
    // set AssumeRoleWithWebIdentity request with created policy and token information retrieved through Google Sign in information
    AssumeRoleWithWebIdentityRequest request = new AssumeRoleWithWebIdentityRequest()

    BasicAWSCredentials basicCreds = new BasicAWSCredentials("", "");
    AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient(basicCreds);
    AssumeRoleWithWebIdentityResult result = sts.assumeRoleWithWebIdentity(request);

    Credentials stsCredentials = result.getCredentials();
    String subjectFromWIF = result.getSubjectFromWebIdentityToken();
    BasicSessionCredentials credentials = new BasicSessionCredentials(stsCredentials.getAccessKeyId(),

    return credentials;

Great thanks in advance.




Consider using Amazon Cognito Federated Identities (Identity Pools) to federate (map) the user from your Identity Provider into Amazon Cognito and obtain a Cognito Identity Id, which can be used to authorize access to AWS resources. See for further details.

Map<String, String> logins = new HashMap<String, String>();
logins.put("", token);

Now, you can use the credentialsProvider object with an Amazon S3 client.

AmazonS3 s3Client = new AmazonS3Client(getApplicationContext(), credentialsProvider);