在AWS中控制角色权限 [英] Control role permission in AWS
问题描述
我是AWS的新手.我正在使用Spring Boot开发应用程序.我使用 AWS cognito 进行登录和注册.我在 cognito 中创建了一个名为 ROLE_ADMIN 的组,并与 IAM角色建立联系,该角色也由我创建为 ROLE_ADMIN_IAM .
I'm new to AWS. I'm developing an application using Spring boot. I use AWS cognito for the sign in and sign up. I created a group called ROLE_ADMIN in cognito and connect with IAM role which was also created by me as ROLE_ADMIN_IAM.
我正在使用 AWS Api网关(HTTP Apis,但类似的是REST Apis)与Apis通信.然后将Cognito jwt授权器集成到Api网关中.
I'm using AWS Api gateway (HTTP Apis, but similarly REST Apis) to communicate with Apis. Then integrated the Cognito jwt authorizer in Api gateway.
一切正常.我现在面临的问题是,当用户登录时,我需要根据其在认知组中的角色来防止Apis的出现.因此,我尝试将策略附加到IAM角色(已创建 ROLE_ADMIN_IAM ),但是它不起作用.这就是我附加到 ROLE_ADMIN_IAM
Everything working perfectly. The problem I'm facing now is, when a user sign in, I need to prevent few Apis based on his role which is in cognito groups. So I tried to attach policies to IAM role (ROLE_ADMIN_IAM already created), but it doesn't work.
This is what I attached to ROLE_ADMIN_IAM
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:aws:apigateway:ap-south-1::/apis/09bccr0"
]
}
]
}
我也尝试限制所有资源.但不起作用
I tried restrict every resources also. But doesn't work
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}
]
}
恐怕我尝试的方法是对还是错?我已经工作好几天了.但是找不到任何解决方案.请任何人给我一个解决方案.预先感谢.
I'm afraid whether the way I tried is wrong or correct? I've been working for days. But couldn't find any solution. Please anyone give me a solution. Thanks in advance.
更新1.
由于这行不通,因此我创建了一个身份池并为其附加了用户池ID和客户端ID.它会自动为身份验证用户和取消身份验证用户创建两个角色.然后我去了Api网关,将授权者更改为 IAM .该文档本身说,当我们使用 IAM 作为授权者时,我们需要使用Signature 4版本.(我改用 cognito jwt 的 IAM ,因为我找不到任何文档或文章说我在使用时可以使用 cognito jwt 用于定义角色的身份池.
Since this doesn't work, I created a Identity pool and attached user pool Id and client id with it. It automatically creates two Roles for authentication user and unauthentication user. Then I went to Api gateway and changed the authorizer to IAM. The documentation itself says when we use IAM as an authorizer we need to use Signature 4 version. (I switched to IAM form cognito jwt, because I don't find any documentation or article say I can go with cognito jwt when we use Identity pool to define roles).
在react应用程序中,我使用amplify.当我配置身份池时,成功登录后它将提供临时Accesskey和SecretKey.我试图与邮递员一起使用它->授权->AWS Signature,它始终会提供 {"message":"Forbidden"}
In the react application, I use amplify. When I configure Identity pool, it provides temporary Accesskey and SecretKey after a successful login. I tried to use it with postman -> Authorization -> AWS Signature, it always gives {"message":"Forbidden"}
推荐答案
在Cognito用户池中创建组时,需要将适当的IAM角色附加到该组.允许实际API调用的IAM策略应如下所示:
When you create a group in a Cognito user pool you need to attach proper IAM role to that group. IAM policy that allows actual API calls should look like that:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:*:a123456789/test/POST/mydemoresource/*"
]
}
]
}
您只需要用API网关ARN,方法和端点替换演示字符串.注意"execute-api:Invoke".行动.
You just need to replace demo string with your API Gateway ARN, method and endpoint. Pay attention to the "execute-api:Invoke" action.
权限"apigateway:获取";不允许您调用API而是获取有关API的服务信息."apigateway:*"权限允许您使管理AWS API调用不是实际的API调用.
Permission "apigateway:GET" does not allow you to call an API but to get service information about API. "apigateway:*" permissions allow you to make management AWS API call not actual API call.
有关更多信息,请查看以下文章:
For more information please check these articles:
这篇关于在AWS中控制角色权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
