AWS CLI - 如何为认知用户生成安全令牌 [英] AWS CLI - how to generate security tokens for a cognito user
问题描述
最终,我需要为 Cognito 用户池中的用户生成 AccessKeyId、SecirutyKey 和 SessionToken,以便我可以使用 Postman 作为 cognito 用户测试 lambda 函数.到目前为止,我已经花了 2 天时间试图解决这个问题.这似乎可行:
Ultimately, I need to generate a AccessKeyId, SecirutyKey and SessionToken for a user in a Cognito User Pool so I can test a lambda function as a cognito user using Postman. So far, I've spent 2 days trying to figure this out. It seems that this would work:
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/rolename--role-session-name "RoleSession1" --web-identity-token ??? --provider-id provideridvalue
我能够获取 provider-id 值,但无法获取 web-identity-token 的有效值.
I was able to get the provider-id value but I'm having trouble getting a valid value for the web-identity-token.
如果我理解正确,这应该会给我 web-identity-token:
If I understand correctly this should get me the web-identity-token:
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id clientidvalue --auth-parameters USERNAME=usernamevalue,PASSWORD=passwordvalue
我从联合身份池中获得了 clientidvalue.
I obtained the clientidvalue from the Federated Identities pool.
我无法解决的问题是上面的命令给了我这个错误:
The problem I have been unable to resolve is that the above command gives me this error:
未知选项:PASSWORD=<密码>
Unknown options: PASSWORD=<password>
我尝试了许多不同的变体,包括 json 格式,但没有任何效果.我做错了什么?
I've tried many different variations including json format but nothing works. What am I doing wrong?
推荐答案
它对我有用.我看不出和你有什么不同
It works for me. I can't see any difference with yours
您是否使用在用户池应用程序客户端"部分(而不是在联合身份部分)创建的应用程序客户端 ID?如果有,是否勾选了这个选项?
Are you using the app client id that you created at User Pool 'App clients' sections (not at federated identity section) ? If so, is this option checked ?
为基于应用的身份验证启用用户名-密码(非 SRP)流程(USER_PASSWORD_AUTH)
Enable username-password (non-SRP) flow for app-based authentication (USER_PASSWORD_AUTH)
我正在使用从 3600 到下一个空格的令牌.将其放在邮递员头上并在 Cognito Authorizer 后面调用 lambda.
I am using the token starting after 3600 till the next whitespace. Put it on postman header and call lambda behind Cognito Authorizer.
如果有人对此的单命令 shell 脚本版本感兴趣 ->Bash 脚本
If anyone interested in single command shell script version of this -> Bash Script
我经常使用它
这篇关于AWS CLI - 如何为认知用户生成安全令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!