无权与Cognito用户一起执行AssumeRoleWithWebIdentity [英] Not authorized to perform AssumeRoleWithWebIdentity with Cognito User

问题描述

使用 AWS-Cognito-Identity-Js ，我获得了会话ID经过身份验证的Cognito用户的令牌session.getIdToken().getJwtToken().

With AWS-Cognito-Identity-Js I obtain a session ID token session.getIdToken().getJwtToken() for a authenticated Cognito User.

我将此token传递给我的AWSInitialize函数并更新AWS凭证:

I pass this token to my AWSInitialize function and update the AWS Credentials:

var AWSInitialize = function(token){
  Logins = {};
  Logins['cognito-idp.' + AWSCognito.config.region + '.amazonaws.com/' + poolData.UserPoolId] = token;

  AWS.config.update({
    region: AWSCognito.config.region,
    credentials: new AWS.CognitoIdentityCredentials({
        IdentityPoolId : identityPoolId,
        region: AWSCognito.config.region,
        Logins : Logins
    })
  });
};

这是正确的，因为例如现在我可以代表经过身份验证的Cognito用户执行Lambda函数.

This works correctly because now for example I can execute a Lambda-Function on behalf of an authenticated Cognito User.

 var lambda = new AWS.Lambda({});
 lambda.invoke({FunctionName: 'createToken'}, function(err, data) ...

这是可能的，因为在Cognito_myAppAuth_Role中，我附加了一个策略，该策略允许我执行此Lambda函数:

This is possible because in the Cognito_myAppAuth_Role I attached a Policy that allows me to Execute this Lambda-Function:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1471300653000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:eu-west-1:593845191076:function:createToken"
            ]
        }
    ]
}

现在我要做的是为同一用户使用STS获取令牌

为此，我在Cognito_myAppAuth_Role上附加了另一个策略.它应允许Cognito用户调用assumeRoleWithWebIdentity:

For that I attached another policy to Cognito_myAppAuth_Role. It should allow the Cognito Users to call assumeRoleWithWebIdentity:

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1472560044000",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

但是当我运行这段代码时:

var sts = new AWS.STS({});

var params = {
  RoleArn: 'arn:aws:iam::593845191076:role/Cognito_myAppAuth_Role', /* required */
  RoleSessionName: "UserName", /* required */
  WebIdentityToken: token, /* required */
};

sts.assumeRoleWithWebIdentity(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

我收到以下错误:

  AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity

我不明白为什么用户无权执行sts:AssumeRoleWithWebIdentity.我向经过身份验证的角色添加了STS策略，Lambda政策也为用户服务

问题出在哪里? 我该如何解决此问题?

非常感谢！

推荐答案

我怀疑此失败的原因是您试图将Cognito您的用户池令牌直接与STS一起使用.虽然我不再直接从事Cognito的工作，但我认为这不会起作用.

I suspect the reason for this failure is that you are trying to use the Cognito Your User Pool token directly with STS. While I no longer work directly on Cognito, I do not believe this will work.

您应该尝试以下操作之一:

You should try one of the following:

1. (推荐)使用Cognito联合身份调用GetId和GetCredentialsForIdentity来获取您的临时凭据.这就是您的第一段代码在后台执行的操作.
2. 使用Cognito联合身份调用GetId和GetOpenIdToken，然后在AssumeRoleForWebIdentity调用中使用 that 令牌.

1. (recommended) Use the Cognito federated identity calls GetId and GetCredentialsForIdentity to get your temporary credentials. This is what your first block of code is doing under the hood.
2. Use the Cognito federated identity calls GetId and GetOpenIdToken, then use that token in your AssumeRoleForWebIdentity call.

希望这会有所帮助.

这篇关于无权与Cognito用户一起执行AssumeRoleWithWebIdentity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！