DynamoDB细粒度的访问控制：是否可以使用$ {cognito-identity.amazonaws.com:email}？ [英] DynamoDB fine-grained access control: is it possible to use ${cognito-identity.amazonaws.com:email}?

问题描述

我的用户拥有Cognito帐户。

My users have Cognito accounts.

根据本文我们可以通过以下策略限制对DynamoDB API的访问：

According to this article we can restrict access to the DynamoDB API with policy like that:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb: <REGION>:<AWS_ACCOUNT_ID>:table/<TABLE>"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

当索引键为 email （主排序键为）时，对于我的情况看起来很简单utc ），因此我将上面的示例调整为：

Looks pretty straightforward for my case when index key is email (and primary sort key is utc), so I adjusted example above to this one:

    {
        "Effect": "Allow",
        "Action": "dynamodb:UpdateItem",
        "Resource": "arn:aws:dynamodb:us-east-1:123456789123:table/history",
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:email}"
                ],
                "dynamodb:Attributes": [
                    "email",
                    "utc",
                    "updated",
                    "isNew"
                ]
            }
        }

但是我一直收到错误 AccessDeniedException：User：arn：aws：sts :: 9876543210：assumed-role /未授权policyname / CognitoIdentityCredentials执行：资源上的dynamodb：UpdateItem：arn：aws：dynamodb：us-east-1：123456789123：table / history 。

我尝试了具有 * 权限的js http调用，它可以正常工作，因此只能使用此策略。

I tried my js http call with * permissions and it works, so pitfall only with this policy.

推荐答案

$ {cognito-identity.amazonaws.com:email}不是有效的策略变量。

${cognito-identity.amazonaws.com:email} is not a valid policy variable. Its not resolving to your users email address.

这很遗憾，因为像您一样的大多数开发人员会发现用户的电子邮件地址比使用cognito-identity.amazonaws更直观。 .com：sub或cognito-identity.amazonaws.com:aud。

It is a shame as most developers, like yourself, would find the users email address more intuitive than using cognito-identity.amazonaws.com:sub or cognito-identity.amazonaws.com:aud.

这篇关于DynamoDB细粒度的访问控制：是否可以使用$ {cognito-identity.amazonaws.com:email}？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！