如何使用Cognito Id(+配置)调用AWS API Gateway端点? [英] How to call AWS API Gateway Endpoint with Cognito Id (+configuration)?
问题描述
我想调用受 AWS_IAM
保护的 AWS API网关端点
使用生成的JavaScript API SDK
。
我有一个 Cognito UserPool
和 Cognito身份池
。两者均通过 ClientId
正确同步。
I have a Cognito UserPool
and a Cognito Identity Pool
. Both properly synced via ClientId
.
我使用此代码登录
并获得 Cognito身份
AWS.config.region = 'us-east-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});
AWSCognito.config.region = 'us-east-1';
AWSCognito.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});
var poolData = {
UserPoolId: 'us-east-1_XXXXXXXX',
ClientId: 'XXXXXXXXXXXXXXXXXXXXXXXX'
};
var userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(poolData);
var authenticationData = {
Username: 'user',
Password: '12345678',
};
var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
var userData = {
Username: 'user',
Pool: userPool
};
var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {
console.log('access token + ' + result.getAccessToken().getJwtToken());
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXX',
IdentityId: AWS.config.credentials.identityId,
Logins: {
'cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXX': result.idToken.jwtToken
}
});
AWS.config.credentials.get(function (err) {
// now I'm using authenticated credentials
if(err)
{
console.log('error in autheticatig AWS'+err);
}
else
{
console.log(AWS.config.credentials.identityId);
}
});
},
onFailure: function (err) {
alert(err);
}
});
所有这些都成功了,我有一个授权的Cognito身份现在。
All this succeeds and I have an authorized Cognito Identity
now.
现在我尝试调用 API网关端点
执行 Lambda函数
指向。
Now I try to call the API Gateway Endpoint
to execute the Lambda Function
it points to.
var apigClient = apigClientFactory.newClient({
accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY',
secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY',
sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});
var params = {
// This is where any modeled request parameters should be added.
// The key is the parameter name, as it is defined in the API in API Gateway.
};
var body = {
// This is where you define the body of the request,
query: '{person {firstName lastName}}'
};
var additionalParams = {
// If there are any unmodeled query parameters or headers that must be
// sent with the request, add them here.
headers: {},
queryParams: {}
};
apigClient.graphqlPost(params, body, additionalParams)
.then(function (result) {
// Add success callback code here.
console.log(result);
}).catch(function (result) {
// Add error callback code here.
console.log(result);
});
但不幸的是,这失败了。 OPTIONS
请求以 200
成功,但是 POST
随后失败与 403
。
But unfortunately this fails. The OPTIONS
request succeeds with 200
but the POST
then fails with 403
.
我很确定没有 CORS
问题。
我很确定问题与 IAM角色
和<$ c有关$ c> AWS资源配置。
我的问题基本上是,请您向我提供所有必需的 AWS资源配置
和 IAM角色
,这些配置才能正常工作吗?
My question is basically, can you please provide me with all the necessary AWS Resource Configurations
and IAM Roles
that are necessary for this to work please?
资源我有
- API网关-带有已部署的API端点
- Lambda函数-由端点调用
- Cognito用户池-应用已同步到身份池
- Cognito身份池-已将授权和未经授权的角色映射到它。
- IAM角色-用于Lambda函数以及Cognito身份池的授权和未授权角色。
- API Gateway - with deployed API Endpoints
- Lambda Function - called by the Endpoint
- Cognito User Pool - with App synced to the Identity Pool
- Cognito Identity Pool - with Authorized and Unauthorized Role mapped to it.
- IAM Roles - for the Lambda Function and the Authorized and Unauthorized Role of the Cognito Identity Pool.
但是我不知道如何正确配置这些资源才能使其正常工作。
But I don't know how these Resources need to be configured properly to get this to work.
谢谢
推荐答案
Cognito身份的角色具有哪些访问权限?确保它有权在您的API上执行 execute-api:Invoke
。
What access permissions does the role of the Cognito Identity have? Make sure it has access to perform execute-api:Invoke
on your API.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:<account>:<rest-api>/*/POST/graphql"
]
}
]
}
您可以从Web控制台的方法设置页面中获取确切的资源ARN。
You can get the exact resource ARN from the method settings page in the web console.
这篇关于如何使用Cognito Id(+配置)调用AWS API Gateway端点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!