AWS:将Cognito授权用户限制为特定的Lambda函数 [英] AWS: Restrict Cognito Authorized User to specific Lambda Functions
问题描述
我正在使用AWS,并具有以下设置:UserPool; API网关,Lambda函数
I'm working with AWS and I've the following setup: UserPool; API Gateway, Lambda Functions
api网关正在使用UserPool授权者来保护lambda函数。到目前为止,这是可行的。现在,我想将每个lambda函数限制为特定的用户组。因此,我在CognitoPool中创建了两个用户组( user
和 admin
),并分配了特定的角色每个组都有一个策略。之后,我在UserPool中创建了一个用户,并将其添加到 user
组中。该用户仍然可以向每个路由/ lambda函数提交请求。
The api gateway is using a UserPool authorizer to protect the lambda functions. This is working so far. Now I want to restrict every lambda function to a specific group of users. Therefore I've created two user groups in the CognitoPool (user
and admin
) and I've assigned a specific role to each group with a policy. Afterwards I've created a user in the UserPool and added him to the user
group. That user is still able to submit requests to each route/lambda function.
我如何提交请求?
- 邮递员
- 在
中设置
标头IdToken
(经过身份验证的用户)授权 - 没有
授权
标头,响应为401(如预期) - 具有
Authorization
标头的每个lambda函数都可以触发(不期望)
- Postman
- set
IdToken
(of the authenticated user) in theAuthorization
header - without
Authorization
header the response is a 401 (as expected) - with
Authorization
header every lambda function can be triggered (not expected)
UserPool组的配置:
Configuration of the UserPool Groups:
-
组用户:
Group User:
- Arn:
角色ARN:arn:aws:iam :: xxxxxx:角色/用户
-
UserRole指定为
- Arn:
Role ARN: arn:aws:iam::xxxxxx:role/User
UserRole is specified as
{
"Version": "2012-10-17",
"Statement": [
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": [
"arn:aws:lambda:region:xxxxxx:function:api-dev-getItems
],
"Effect": "Allow"
]
}
组管理员:
- Arn:
角色ARN:arn:aws: iam :: xxxxxx:角色/ Admin
-
AdminRole被指定为
- Arn:
Role ARN: arn:aws:iam::xxxxxx:role/Admin
AdminRole is specified as
{
"Version": "2012-10-17",
"Statement": [
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": [
"arn:aws:lambda:region:xxxxxx:function:api-dev-getItems
"arn:aws:lambda:region:xxxxxx:function:api-dev-getUsers
],
"Effect": "Allow"
]
}
id令牌的有效载荷还包含:
'cognito:roles':['arn:aws:iam :: xxxxxx:role / User']
The payload of the id token also contains:
'cognito:roles': [ 'arn:aws:iam::xxxxxx:role/User' ]
推荐答案
所以我找到了解决问题的方法。以下是我的经验总结:
So I've found a solution to my problem. Here is the summary of my experiences:
- Cognito授权者更像是是/否授权者(是否经过身份验证;不评估用户组)
- 因此,我在API网关中使用了AWS IAM Authorizer,它将评估用户组角色
- 代替JWT的是AWS签名v4必须通过授权(npm上有一个邮递员插件和几个软件包)
- 由于我使用的是API网关,因此必须将角色策略资源更改为
execute-api:调用
- Cognito Authorizer is more like a yes/no authorizer (authenticated or not; user groups are not evaluated)
- Therefore I went with AWS IAM Authorizer in the API Gateway, which will evaluate the user group roles
- Instead of a JWT the AWS signature v4 authorization has to be passed (there is a plugin for postman and several packages on npm)
- Since I am using an API Gateway I had to change the role policy resources to
execute-api:Invoke
详细信息:
UserRole:
{
"Version": "2012-10-17",
"Statement": [
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": [
"arn:aws:execute-api:region:accountid:api-id/stage/GET/items
],
"Effect": "Allow"
]
}
AdminRole :
AdminRole:
{
"Version": "2012-10-17",
"Statement": [
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": [
"arn:aws:execute-api:region:accountid:api-id/stage/GET/items
"arn:aws:execute-api:region:accountid:api-id/stage/*/users
],
"Effect": "Allow"
]
}
我没有使用ID令牌到 Authorization
标头中,而是不得不使用Postman AWS Signature,它至少需要一个 AccessKey
和 SecretKey
。当我使用aws-sdk登录用户时,可以检索到这两个。以TypeScript为例的aws-sdk-js:
Instead of passing the ID Token into the Authorization
header, I had to use Postman AWS Signature, which requires at least an AccessKey
and a SecretKey
. Those two can be retrieved when I sign in my user using the aws-sdk. aws-sdk-js with TypeScript as example:
import { CognitoUserPool, CognitoUser, AuthenticationDetails } from 'amazon-cognito-identity-js';
const userPool = new CognitoUserPool({
UserPoolId: 'my pool id',
ClientId: 'my client id'
});
function signIn(username: string, password: string) {
const authData = {
Username: username,
Password: password,
};
const authDetails = new AuthenticationDetails(authData);
const userData = {
Username: username,
Pool: userPool,
};
const cognitoUser = new CognitoUser(userData);
cognitoUser.authenticateUser(authDetails, {
onSuccess: (result) => {
const cognitoIdpKey = `cognito-idp.${region}.amazonaws.com/${userPool.getUserPoolId()}`;
const credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'identity pool id,
Logins: {
[cognitoIdpKey]: result.getIdToken().getJwtToken(),
}
});
AWS.config.update({
credentials,
});
credentials.refreshPromise()
.then(() => {
console.log('Success refresh. Required data:', (credentials as any).data.Credentials);
})
.catch(err => console.error('credentials refresh', err));
}
});
}
这篇关于AWS:将Cognito授权用户限制为特定的Lambda函数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!