如何使用AWS Cognito限制自定义api访问 [英] How to Restrict Custom api access using AWS Cognito
问题描述
我在我的应用程序中使用Spring Boot。在搜索一些IAM工具时,我实际上很喜欢Auth0,但是我对它们的价格承受不了。因此,我找到了另一个名为 AWS Cognito 的文件。
I am using Spring Boot in my application. While searching for some IAM tools, I actually liked Auth0, but iam not affordable their pricing. So, I found another called AWS Cognito.
下面是Auth0以限制我们的自定义访问api
Below is Auth0 to restrict our custom access api
https://auth0.com/docs/api-auth/restrict-access-api
当前,我是试图使用AWS Cognito限制访问API,但我找不到实现此目的的正确文档。谁能告诉我使用aws cognito是否可以限制api访问。
Currently, I am trying to restrict access API using AWS cognito, but I am not finding correct documentation to achieve this. Can anyone please tell me whether restricting api access can be possible using aws cognito.
推荐答案
这取决于有多少细粒度的控件您想要访问您的api。
It depends on how much fine-grained control you want over the access to your api.
允许或拒绝方案
在某些情况下,您要么想完全阻止某人,要么让他们访问您所有的api。在全有或全无的情况下,最简单的方法是自行使用Cognito用户池来授权用户。 Cognito用户池仅用于验证用户身份(即他们所说的用户),并提供使注册和登录变得更容易的工具。
In some cases, you either want to block someone completely, or give them access to all of your api. In this all or nothing scenario, the simplest route would be to use Cognito User Pools on their own to authorize your users. Cognito User Pools is just used to authenticate the user (are they who they say they are), and to provide tools to make sign up, and sign in easier.
如果用户通过身份验证,则可以将cognito用户池返回的令牌之一(身份令牌)传递给API Gateway。只要您已将api方法设置为在API Gateway中具有Cognito用户池授权者,那么这足以使他们接受身份令牌作为访问方法的授权。
If the user passes authentication, then you can pass one of the tokens returned by cognito user pools (the identity token) to API Gateway. As long as you have set up your api methods to have the Cognito User Pools authorizer in API Gateway, then this is enough for them to accept the identity token as authorization to access the methods.
精细访问
但是,在其他情况下,您需要更精细的控制。您可能希望所有经过身份验证的用户都可以访问您的api方法的某些子集,但只有管理员可以访问更多受限制的方法。
However, in other cases, you need more fine-grained control. You may want all authenticated users to have access to a certain subset of your api methods, but only admins to have access to more restricted methods.
在这种情况下,您将还需要使用Cognito身份池来定义用户角色(例如UNAUTHENTICATED_USER,PAID_USER,ADMIN等)及其关联的 IAM角色,这些角色将具有允许他们访问的策略,或者拒绝他们访问您的api的各个部分。
In this case, you will also need to use Cognito Identity Pools, to define user roles (e.g. UNAUTHENTICATED_USER, PAID_USER, ADMIN etc), and their associated IAM roles, which will have policies that give them access, or deny them access to various parts of your api.
然后,您将api网关资源的授权者设置为AWS_IAM(而不是像其他所有的Cognito用户池一样)或上面没有示例)。并且API Gateway将使用从Cognito身份池中获得的角色凭据来确定当前用户的角色是否具有访问所请求资源的权限。
You then set the authorizer for your api gateway resources to be AWS_IAM (instead of Cognito User Pools as in the all or nothing example above). And API Gateway will use the role credentials obtained from the Cognito Identity Pool to determine if the current user's role has the permissions to access the requested resource.
例如,也许您的PAID_USER用户角色,将具有以下IAM角色:
For example, perhaps your PAID_USER user role, will have the following IAM role attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:*:*:fjfkdlsjflds/*"
]
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": [
"arn:aws:execute-api:*:*:fjfkdlsjflds/*/admin/*"
]
}
]
}
除了您在 / admin / 下设置的api方法(资源)之外,这还使他们可以访问您的api。
This gives them access to your api, apart from the api methods (resources) that you have set up under /admin/.
我强烈建议此AWS重塑了无服务器身份验证和授权的讨论,其中列举了一些很好的示例来介绍这些选项。
I highly recommend this AWS reinvent talk on Serverless Authentication and Authorization, which goes over these options with some good examples.
这篇关于如何使用AWS Cognito限制自定义api访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
