如何在Cognito用户池中使用DynamoDB细粒度访问控制？ [英] How to use DynamoDB fine grained access control with Cognito User Pools?

问题描述

使用Cognito用户池登录时，我无法理解如何在DynamoDB上使用细粒度的访问控制。我已经关注了文档并在Google周围搜索，但是由于某些原因，我似乎无法正常工作。

I'm having trouble understanding how to use fine-grained access control on DynamoDB when logged in using Cognito User Pools. I've followed the docs and googled around, but for some reason I can't seem to get it working.

我的AWS设置在下面列出。如果我删除了角色策略中的条件，那么我可以获取和放置项目都没有问题，因此看来条件很可能是问题所在。但是我无法弄清楚如何或在何处调试依赖于已验证身份的策略-可用的变量，变量的值等等。

My AWS setup is listed below. If I remove the condition in the role policy, I can get and put items no problem, so it seems likely that the condition is the problem. But I can't figure out how or where to debug policies that depend on authenticated identities - what variables are available, what are their values, etc etc.

任何帮助都会非常感谢！

Any help would be greatly appreciated!

DynamoDB表

• 表名：文档


• 主分区键：userID（字符串）


• 主排序键：docID（字符串）

DynamoDB示例行

{
  "attributes": {},
  "docID": "0f332745-f749-4b1a-b26d-4593959e9847",
  "lastModifiedNumeric": 1470175027561,
  "lastModifiedText": "Wed Aug 03 2016 07:57:07 GMT+1000 (AEST)",
  "type": "documents",
  "userID": "4fbf0c06-03a9-4cbe-b45c-ca4cd0f5f3cb"
}

认知用户池用户

• 用户状态：已启用/已确认


• MFA状态：已禁用


• 子：4fbf0c06 -- 03a9-4cbe-b45c-ca4cd0f5f3cb


• 电子邮件已验证：true

• User Status: Enabled / Confirmed
• MFA Status: Disabled
• sub: 4fbf0c06-03a9-4cbe-b45c-ca4cd0f5f3cb
• email_verified: true

RoleName

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:NUMBER:table/documents"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

从cognitoUser.getUserAttributes（）返回的登录信息

attribute sub has value 4fbf0c06-03a9-4cbe-b45c-ca4cd0f5f3cb
attribute email_verified has value true
attribute email has value ****@****com

错误消息

Code: "AccessDeniedException"
Message: User: arn:aws:sts::NUMBER:assumed-role/ROLE_NAME/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-southeast-2:NUMBER:table/documents

推荐答案

策略变量 $ {cognito-identity.amazonaws.com:sub} 不是您从Cognito用户池中获得的用户子。实际上，当您使用联合身份服务从Cognito用户池联合用户时，由Cognito联合身份服务生成的用户的身份ID。

The policy variable "${cognito-identity.amazonaws.com:sub}" is not the user sub which you get from Cognito user pools. It is in fact the identity id of a user which is generated by the Cognito Federated Identity service when you federate a user from Cognito User Pools with Federated identity service.

因为， $ {cognito-identity.amazonaws.com:sub} 中的值永远不匹配您在DynamoDB行中使用AccessDenied失败。为此，Dynamo条目中的 userId 实际上应该是身份ID，而不是sub。当前，IAM策略变量和Cognito用户池服务之间没有直接链接。

Since, the value in "${cognito-identity.amazonaws.com:sub}" never matches what you have in your DynamoDB row, it fails with AccessDenied. For this to work, the userId in your Dynamo entry should actually be the identity id, not sub. Currently, there is no direct link between IAM policy variables and Cognito User Pools service.

以下某些文档链接可能会有所帮助。

1 。 IAM角色与Cognito联合身份服务

2. 将用户池与Cognito联合身份服务集成

Here are some doc links which might help.
1. IAM roles with Cognito Federated Identity Service
2. Integrating User Pools with Cognito Federated Identity Service

这篇关于如何在Cognito用户池中使用DynamoDB细粒度访问控制？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！