AWS：将Cognito授权用户限制为特定的Lambda函数 [英] AWS: Restrict Cognito Authorized User to specific Lambda Functions

问题描述

我正在使用AWS，并具有以下设置：UserPool； API网关，Lambda函数

I'm working with AWS and I've the following setup: UserPool; API Gateway, Lambda Functions

api网关正在使用UserPool授权者来保护lambda函数。到目前为止，这是可行的。现在，我想将每个lambda函数限制为特定的用户组。因此，我在CognitoPool中创建了两个用户组（ user 和 admin ），并分配了特定的角色每个组都有一个策略。之后，我在UserPool中创建了一个用户，并将其添加到 user 组中。该用户仍然可以向每个路由/ lambda函数提交请求。

The api gateway is using a UserPool authorizer to protect the lambda functions. This is working so far. Now I want to restrict every lambda function to a specific group of users. Therefore I've created two user groups in the CognitoPool (user and admin) and I've assigned a specific role to each group with a policy. Afterwards I've created a user in the UserPool and added him to the user group. That user is still able to submit requests to each route/lambda function.

我如何提交请求？

• 邮递员


• 在中设置 IdToken （经过身份验证的用户）授权标头


• 没有授权标头，响应为401（如预期）


• 具有 Authorization 标头的每个lambda函数都可以触发（不期望）

• Postman
• set IdToken (of the authenticated user) in the Authorization header
• without Authorization header the response is a 401 (as expected)
• with Authorization header every lambda function can be triggered (not expected)

UserPool组的配置：

Configuration of the UserPool Groups:

• 组用户：

• Group User:

• Arn：角色ARN：arn：aws：iam :: xxxxxx：角色/用户



• UserRole指定为

• Arn: Role ARN: arn:aws:iam::xxxxxx:role/User

• UserRole is specified as

{
  "Version": "2012-10-17",
  "Statement": [
    "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
   "Resource": [
     "arn:aws:lambda:region:xxxxxx:function:api-dev-getItems
    ],
    "Effect": "Allow"
  ]
}

组管理员：

• Arn：角色ARN：arn：aws： iam :: xxxxxx：角色/ Admin



• AdminRole被指定为

• Arn: Role ARN: arn:aws:iam::xxxxxx:role/Admin

• AdminRole is specified as

{
  "Version": "2012-10-17",
  "Statement": [
      "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
    "Resource": [
       "arn:aws:lambda:region:xxxxxx:function:api-dev-getItems
       "arn:aws:lambda:region:xxxxxx:function:api-dev-getUsers
    ],
    "Effect": "Allow"
  ]
}

id令牌的有效载荷还包含：
'cognito：roles'：['arn：aws：iam :: xxxxxx：role / User']

The payload of the id token also contains: 'cognito:roles': [ 'arn:aws:iam::xxxxxx:role/User' ]

推荐答案

所以我找到了解决问题的方法。以下是我的经验总结：

So I've found a solution to my problem. Here is the summary of my experiences:

• Cognito授权者更像是是/否授权者（是否经过身份验证；不评估用户组）


• 因此，我在API网关中使用了AWS IAM Authorizer，它将评估用户组角色


• 代替JWT的是AWS签名v4必须通过授权（npm上有一个邮递员插件和几个软件包）


• 由于我使用的是API网关，因此必须将角色策略资源更改为 execute-api：调用

• Cognito Authorizer is more like a yes/no authorizer (authenticated or not; user groups are not evaluated)
• Therefore I went with AWS IAM Authorizer in the API Gateway, which will evaluate the user group roles
• Instead of a JWT the AWS signature v4 authorization has to be passed (there is a plugin for postman and several packages on npm)
• Since I am using an API Gateway I had to change the role policy resources to execute-api:Invoke

详细信息：

UserRole：

{
  "Version": "2012-10-17",
  "Statement": [
    "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
   "Resource": [
     "arn:aws:execute-api:region:accountid:api-id/stage/GET/items
    ],
    "Effect": "Allow"
  ]
}

AdminRole ：

AdminRole:

{
  "Version": "2012-10-17",
  "Statement": [
    "Action": [
      "lambda:InvokeFunction",
      "lambda:InvokeAsync"
    ],
   "Resource": [
     "arn:aws:execute-api:region:accountid:api-id/stage/GET/items
     "arn:aws:execute-api:region:accountid:api-id/stage/*/users
    ],
    "Effect": "Allow"
  ]
}

我没有使用ID令牌到 Authorization 标头中，而是不得不使用Postman AWS Signature，它至少需要一个 AccessKey 和 SecretKey 。当我使用aws-sdk登录用户时，可以检索到这两个。以TypeScript为例的aws-sdk-js：

Instead of passing the ID Token into the Authorization header, I had to use Postman AWS Signature, which requires at least an AccessKey and a SecretKey. Those two can be retrieved when I sign in my user using the aws-sdk. aws-sdk-js with TypeScript as example:

import { CognitoUserPool, CognitoUser, AuthenticationDetails } from 'amazon-cognito-identity-js';

const userPool = new CognitoUserPool({
  UserPoolId: 'my pool id',
  ClientId: 'my client id'
});

function signIn(username: string, password: string) {
  const authData = {
    Username: username,
    Password: password,
  };

  const authDetails = new AuthenticationDetails(authData);
  const userData = {
    Username: username,
    Pool: userPool,
  };

  const cognitoUser = new CognitoUser(userData);
  cognitoUser.authenticateUser(authDetails, {
    onSuccess: (result) => {
      const cognitoIdpKey = `cognito-idp.${region}.amazonaws.com/${userPool.getUserPoolId()}`;

      const credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'identity pool id,
        Logins: {
          [cognitoIdpKey]: result.getIdToken().getJwtToken(),
        }
      });
      AWS.config.update({
        credentials,
      });

      credentials.refreshPromise()
        .then(() => {
          console.log('Success refresh. Required data:', (credentials as any).data.Credentials);
        })
        .catch(err => console.error('credentials refresh', err));
    }
  });
}

这篇关于AWS：将Cognito授权用户限制为特定的Lambda函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！