如何使用Cognito Id（+配置）调用AWS API Gateway端点？ [英] How to call AWS API Gateway Endpoint with Cognito Id (+configuration)?

问题描述

我想调用受 AWS_IAM 保护的 AWS API网关端点使用生成的JavaScript API SDK 。

我有一个 Cognito UserPool 和 Cognito身份池 。两者均通过 ClientId 正确同步。

I have a Cognito UserPool and a Cognito Identity Pool. Both properly synced via ClientId.

我使用此代码登录并获得 Cognito身份

AWS.config.region = 'us-east-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});

AWSCognito.config.region = 'us-east-1';
AWSCognito.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});

var poolData = {
  UserPoolId: 'us-east-1_XXXXXXXX',
  ClientId: 'XXXXXXXXXXXXXXXXXXXXXXXX'
};
var userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(poolData);


var authenticationData = {
  Username: 'user',
  Password: '12345678',
};
var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
var userData = {
  Username: 'user',
  Pool: userPool
};
var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
  onSuccess: function (result) {
  console.log('access token + ' + result.getAccessToken().getJwtToken());

  AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXX',
    IdentityId: AWS.config.credentials.identityId,
    Logins: {
      'cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXX': result.idToken.jwtToken
    }
  });

  AWS.config.credentials.get(function (err) {
    // now I'm using authenticated credentials
    if(err)
    {
      console.log('error in autheticatig AWS'+err);
    }
    else
    {
      console.log(AWS.config.credentials.identityId);

    }
  });
  },

  onFailure: function (err) {
    alert(err);
  }

});

所有这些都成功了，我有一个授权的Cognito身份现在。

All this succeeds and I have an authorized Cognito Identity now.

现在我尝试调用 API网关端点执行 Lambda函数指向。

Now I try to call the API Gateway Endpoint to execute the Lambda Function it points to.

  var apigClient = apigClientFactory.newClient({
    accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY',
    secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY',
    sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
    region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
  });

  var params = {
    // This is where any modeled request parameters should be added.
    // The key is the parameter name, as it is defined in the API in API Gateway.
  };

  var body = {
    // This is where you define the body of the request,
    query: '{person {firstName lastName}}'
  };

  var additionalParams = {
    // If there are any unmodeled query parameters or headers that must be
    //   sent with the request, add them here.
    headers: {},
    queryParams: {}
  };

  apigClient.graphqlPost(params, body, additionalParams)
    .then(function (result) {
      // Add success callback code here.
      console.log(result);
    }).catch(function (result) {
    // Add error callback code here.
    console.log(result);
  });

但不幸的是，这失败了。 OPTIONS 请求以 200 成功，但是 POST 随后失败与 403 。

But unfortunately this fails. The OPTIONS request succeeds with 200 but the POST then fails with 403.

我很确定没有 CORS 问题。

我很确定问题与 IAM角色和<$ c有关$ c> AWS资源配置。

我的问题基本上是，请您向我提供所有必需的 AWS资源配置和 IAM角色，这些配置才能正常工作吗？

My question is basically, can you please provide me with all the necessary AWS Resource Configurations and IAM Roles that are necessary for this to work please?

资源我有

• API网关-带有已部署的API端点


• Lambda函数-由端点调用


• Cognito用户池-应用已同步到身份池


• Cognito身份池-已将授权和未经授权的角色映射到它。


• IAM角色-用于Lambda函数以及Cognito身份池的授权和未授权角色。

• API Gateway - with deployed API Endpoints
• Lambda Function - called by the Endpoint
• Cognito User Pool - with App synced to the Identity Pool
• Cognito Identity Pool - with Authorized and Unauthorized Role mapped to it.
• IAM Roles - for the Lambda Function and the Authorized and Unauthorized Role of the Cognito Identity Pool.

但是我不知道如何正确配置这些资源才能使其正常工作。

But I don't know how these Resources need to be configured properly to get this to work.

谢谢

推荐答案

Cognito身份的角色具有哪些访问权限？确保它有权在您的API上执行 execute-api：Invoke 。

What access permissions does the role of the Cognito Identity have? Make sure it has access to perform execute-api:Invoke on your API.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:<account>:<rest-api>/*/POST/graphql"
      ]
    }
  ]
} 

您可以从Web控制台的方法设置页面中获取确切的资源ARN。

You can get the exact resource ARN from the method settings page in the web console.

这篇关于如何使用Cognito Id（+配置）调用AWS API Gateway端点？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！