如何使用 Amazon Cognito 进行未经身份验证的访问? [英] How to make unauthenticated access working with Amazon Cognito?
问题描述
- 我创建了联合身份
- 使用复选框启用未经身份验证的访问
- 创建与此身份关联的角色并授予它管理员访问权限,因此它应该拥有所有权限
- 然后我添加此代码以将文件上传到 AWS S3,它适用于我不想向 UI 公开的访问/秘密密钥,但它不适用于 Cognito
- I created Federated Identity
- Enabled Unauthenticated Access to it with checkbox
- Created role associated with this identity and gave it Administrator Access, so it should have all permissions
- Then I add this code to upload files to AWS S3, it works with Access / Secret keys, that I wouldn't like to expose to UI, but it doesn't work with Cognito
需要明确的是,一切都是客户端 JavaScript,我想要一切都是无服务器的,所以我没有自己的 API,也不会在我端实现自定义访问提供程序.我只想防止在 UI 中暴露我的访问和密钥.
To be clear, everything is client JavaScript and I want everything serverless, so I don't have my own API and not going to implement custom access provider on my end. I only want to prevent exposing my access and secret key in UI.
/**
* Handle file upload with Amazon S3 bucket
* @param id - record ID in local DB
* @param doc - file to be uploaded, taken from event.target.files
* @param done - callback to call after upload
*/
public sendFileToAws(id: number, doc: File, done: Function) {
// @Todo : Move to config
let pointer = this;
aws.config.region = pointer.awsRegion;
aws.config.credentials = new aws.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:e48af67b-c315-47ca-b816-000000000000',
RoleArn: 'arn:aws:iam::000000000000:role/GognitoSuperUserRole',
AccountId: '000000000000'
});
//aws.config.update({
// region: pointer.awsRegion,
// accessKeyId: pointer.awsAccessKey,
// secretAccessKey: pointer.awsSecretKey
//});
let server = new aws.S3({ params: { Bucket: pointer.awsStorageName } });
let directory = pointer.getDocumentDirectory() + '/' + id + '-' + doc.name;
let params = {
Key: directory,
ContentType: doc.type,
Body: doc,
Bucket: pointer.awsStorageName,
ACL: pointer.awsPermission
};
server.upload(params, (e, data) => {
done(e, data);
});
}
它返回以下错误:
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message>
</Error>
<RequestId>28b768a5-8f30-11e7-a7bf-4b5038235cb8</RequestId>
</ErrorResponse>
推荐答案
我还在开发一个前端 Typescript 应用程序,该应用程序使用来自 Cognito 的 Authenticated 和 Unauthenticated 身份.
I'm also working on a front end Typescript application that uses both Authenticated and Unauthenticated identities from Cognito.
对于未经身份验证的身份,我的流程如下所示:
For unauthenticated identities, my flow looks like this:
- 使用
CognitoIdentity.getId()在身份池中创建新身份. - 仅使用身份池 ID 和新身份 ID 创建凭据对象.
- Create a new identity in the identity pool using
CognitoIdentity.getId(). - Create a credentials object using the identity pool id and new identity id only.
该代码如下所示:
var cognitoidentity = new AWS.CognitoIdentity();
var params = {
IdentityPoolId: 'us-east-1:bxxxxxx-cxxx-4xxx-8xxx-9xxxxxxxxxxx'
};
// tslint:disable-next-line:no-any
cognitoidentity.getId(params, function(err: any, data: any) {
if (err) {
console.log(err, err.stack); // an error occurred
} else {
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:bxxxxxxx-cxxx-4xxx-8xxx-9xxxxxxxxxxx',
IdentityId: data.IdentityId
});
// access AWS resources
}
});
这将导致您的应用获得用于访问后端资源的临时 IAM 凭证(访问密钥、密钥、会话令牌).
This will result in your app getting temporary IAM credentials (access key, secret key, session token) that are used to access back end resources.
当您使用这些密钥时所承担的角色将是您在身份池设置中配置的角色:
The role assumed when you use these keys will be the role you configured in your Identity Pool settings:
这样,您也不必向浏览器公开 IAM 角色名称.AWS 将简单地根据 IAM 密钥承担正确的角色.
This way you don't have to expose the IAM role name to the browser, either. AWS will simply assume the correct role based on the IAM keys.
快乐黑客!
这篇关于如何使用 Amazon Cognito 进行未经身份验证的访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
