无权与Cognito用户一起执行AssumeRoleWithWebIdentity [英] Not authorized to perform AssumeRoleWithWebIdentity with Cognito User
问题描述
使用 AWS-Cognito-Identity-Js ,我获得了会话ID经过身份验证的Cognito用户的令牌session.getIdToken().getJwtToken()
.
With AWS-Cognito-Identity-Js I obtain a session ID token session.getIdToken().getJwtToken()
for a authenticated Cognito User.
我将此token
传递给我的AWSInitialize
函数并更新AWS凭证:
I pass this token
to my AWSInitialize
function and update the AWS Credentials:
var AWSInitialize = function(token){
Logins = {};
Logins['cognito-idp.' + AWSCognito.config.region + '.amazonaws.com/' + poolData.UserPoolId] = token;
AWS.config.update({
region: AWSCognito.config.region,
credentials: new AWS.CognitoIdentityCredentials({
IdentityPoolId : identityPoolId,
region: AWSCognito.config.region,
Logins : Logins
})
});
};
这是正确的,因为例如现在我可以代表经过身份验证的Cognito用户执行Lambda函数.
This works correctly because now for example I can execute a Lambda-Function on behalf of an authenticated Cognito User.
var lambda = new AWS.Lambda({});
lambda.invoke({FunctionName: 'createToken'}, function(err, data) ...
这是可能的,因为在Cognito_myAppAuth_Role
中,我附加了一个策略,该策略允许我执行此Lambda函数:
This is possible because in the Cognito_myAppAuth_Role
I attached a Policy that allows me to Execute this Lambda-Function:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1471300653000",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:eu-west-1:593845191076:function:createToken"
]
}
]
}
现在我要做的是为同一用户使用STS获取令牌
为此,我在Cognito_myAppAuth_Role
上附加了另一个策略.它应允许Cognito用户调用assumeRoleWithWebIdentity
:
For that I attached another policy to Cognito_myAppAuth_Role
. It should allow the Cognito Users to call assumeRoleWithWebIdentity
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1472560044000",
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
"*"
]
}
]
}
但是当我运行这段代码时:
var sts = new AWS.STS({});
var params = {
RoleArn: 'arn:aws:iam::593845191076:role/Cognito_myAppAuth_Role', /* required */
RoleSessionName: "UserName", /* required */
WebIdentityToken: token, /* required */
};
sts.assumeRoleWithWebIdentity(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
我收到以下错误:
AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
我不明白为什么用户无权执行sts:AssumeRoleWithWebIdentity.我向经过身份验证的角色添加了STS策略,Lambda政策也为用户服务
问题出在哪里? 我该如何解决此问题?
非常感谢!
推荐答案
我怀疑此失败的原因是您试图将Cognito您的用户池令牌直接与STS一起使用.虽然我不再直接从事Cognito的工作,但我认为这不会起作用.
I suspect the reason for this failure is that you are trying to use the Cognito Your User Pool token directly with STS. While I no longer work directly on Cognito, I do not believe this will work.
您应该尝试以下操作之一:
You should try one of the following:
- (推荐)使用Cognito联合身份调用
GetId
和GetCredentialsForIdentity
来获取您的临时凭据.这就是您的第一段代码在后台执行的操作. - 使用Cognito联合身份调用
GetId
和GetOpenIdToken
,然后在AssumeRoleForWebIdentity
调用中使用 that 令牌.
- (recommended) Use the Cognito federated identity calls
GetId
andGetCredentialsForIdentity
to get your temporary credentials. This is what your first block of code is doing under the hood. - Use the Cognito federated identity calls
GetId
andGetOpenIdToken
, then use that token in yourAssumeRoleForWebIdentity
call.
希望这会有所帮助.
这篇关于无权与Cognito用户一起执行AssumeRoleWithWebIdentity的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!