基于Cognito ID的S3文件夹访问的IAM策略 [英] IAM Policy for S3 folder access based on Cognito ID
问题描述
我创建了一个IAM策略,允许Cognito用户写入我的S3存储桶,但我想根据他们的Cognito ID将它们限制为文件夹。我已按照亚马逊的说明此处,并制定了如下所示的政策:
I have created an IAM policy to allow Cognito users to write to my S3 bucket, but I would like to restrict them to folders based on their Cognito ID. I've followed Amazon's instructions here and created a policy that looks like this:
{
"Effect": "Allow",
"Action": ["s3:PutObject","s3:GetObject"],
"Resource": [
"arn:aws:s3:::mybucket/myappfolder/${cognito-identity.amazonaws.com:sub}*"
]
}
但是当我尝试使用AWS iOS SDK的v2上传时我收到拒绝访问错误。
But when I try to upload using the v2 of the AWS iOS SDK I get an access denied error.
如果我修改资源的最后一个路径组件来替换 $ {cognito-identity.amazonaws.com:sub}使用显式的 identityId 值,我从SDK的 AWSCognitoCredentialsProvider 获取它的工作原理。
If I modify the last path component of the resource to replace ${cognito-identity.amazonaws.com:sub} with the explicit identityId value I am getting from the SDK's AWSCognitoCredentialsProvider it works.
{
"Effect": "Allow",
"Action": ["s3:PutObject","s3:GetObject"],
"Resource": [
"arn:aws:s3:::mybucket/myappfolder/us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx*"
]
}
我的理解是这些应该等同于同一件事。我在保单中遗漏了哪些内容,或者我的上传请求中是否应使用其他路径?
My understanding was that these should equate to the same thing. Am I missing something in my policy, or should I be using a different path in my upload request?
** 更新 **
** Update **
我最初在iOS中遇到过这个问题,所以今晚我尝试在node.js中做同样的事情,结果是一样的。以下是我在节点中使用的简单代码:
I originally had this problem in iOS, so tonight I tried doing the same thing in node.js and the result is identical. Here is the simple code I am using in node:
var s3 = new AWS.S3();
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials(AWSParams);
AWS.config.credentials.get(function (err) {
if (!err) {
console.log("Cognito Identity Id: " + AWS.config.credentials.identityId);
var bucketName = 'ch123_test_bucket';
var keyName = AWS.config.credentials.identityId + '.txt';
var params = {Bucket: bucketName, Key: keyName, Body: 'Hello World!'};
s3.putObject(params, function (err, data) {
if (err)
console.log(err)
else
console.log("Successfully uploaded data to " + bucketName + "/" + keyName);
});
}
我得到的结果与我相同iOS:除非我在IAM策略中提供明确的认知ID,否则API会以403响应。
And I get the same results that I get with iOS: unless I supply an explicit cognito ID in the IAM policy the API responds with 403.
我已将IAM策略剥离到最低限度。这不是工作:
I've stripped my IAM policy down to the very bare minimum. This doesn't work:
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject","s3:GetObject"],
"Resource": [
"arn:aws:s3:::ch123_test_bucket/${cognito-identity.amazonaws.com:sub}*"
]
}
]
}
这样做:
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject","s3:GetObject"],
"Resource": [
"arn:aws:s3:::ch123_test_bucket/us-east-1:68a5dc49-6cc7-4289-8257-d3d5636f7034*"
]
}
]
}
我看不出我错过了什么这里...我能找到的唯一文档总是显示我一直使用的相同示例资源值。
I don't see what I'm missing here...the only documentation I've been able to find always shows the same example Resource value that I've been using.
推荐答案
不幸的是,目前通过Cognito控制台生成的角色与策略变量相结合存在问题。请更新您的角色访问策略以包含以下内容以确保正确评估策略变量:
Unfortunately there is currently an issue with the roles generated via the Cognito console in combination with policy variables. Please update your roles' access policy to include the following to ensure policy variables are evaluated correctly:
"Version": "2012-10-17"
2014-09-16更新:我们已更新Amazon Cognito控制台,用于更正通过Identity Pool创建向导创建的新角色的此问题。现有角色仍需要进行上述修改。
2014-09-16 Update: We have updated the Amazon Cognito console to correct this issue for new roles created via the Identity Pool creation wizard. Existing roles will still need to make the modification noted above.
这篇关于基于Cognito ID的S3文件夹访问的IAM策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
