AWS Cognito用户池JavaScript SDK获取用户的策略文档 [英] AWS cognito userpools JavaScript SDK get user's policy documents

问题描述

对于AWS Cognito Userpools中的注册用户，是否可以通过JavaScript SDK通过IAM角色检索附加到该用户的策略文档？

用户案例是编写一个自定义授权器，该授权器授权cognito id令牌并返回具有IAM权限的策略文档，用户可以通过Cognito用户组承担。 / p>

解决方案

在进行了进一步的研究之后，以下方法用于通过IAM角色检索附加到用户的内联策略。

• 从AWS Cognito JWT中，从ARN中提取角色名称，然后使用IAM SDK for JavaScript通过使用

  $获得策略ARN。 b
  $ b

    const aws = require（'aws-sdk'）; 
   let iam = new aws.IAM（）; 
   iam.listRolePolicies（{RoleName：roleName}，function（err，data）{
   let policyNames = data [ PolicyNames]; 
   //使用策略名称和角色名称检索策略文件
  }）； 
    




• 结合使用策略名称和角色名称，以JSON格式检索策略文档

    iam.getRolePolicy（{PolicyName：policyName，RoleName：roleName}，
  函数（错误，数据）{
  让document = encodeURIComponent（data [ PolicyDocument]）; 
  }）; 
    



• 接下来从每个策略文档中迭代提取语句并构建一个文档。

示例代码可在此 github存储库。

For a registered user in AWS Cognito Userpools, is it possible to retrieve the policy documents attached to the user through IAM roles through JavaScript SDK?

The user case is to write a custom authorizer which authorize cognito id token and return the policy document with the IAM permission, user is capable of assuming through Cognito User Groups.

解决方案

After carrying out further research, following approach is used to retrieve 'inline policies' attached to the user through IAM roles.

• From AWS Cognito JWT, extract role names from ARNs and using IAM SDK for JavaScript get the policy ARNs by using

  const aws = require('aws-sdk');
  let iam = new aws.IAM();
  iam.listRolePolicies({ RoleName: roleName }, function (err, data) {
      let policyNames = data["PolicyNames"];
      // Use policy names and role names to retrieve policy documents
  });
  

• Using policy names and role names in combination, retrieve the policy documents in JSON format

  iam.getRolePolicy({ PolicyName: policyName, RoleName: roleName }, 
  function (err, data) {
      let document = decodeURIComponent(data["PolicyDocument"]);
  });
  

• Next iteratively extract the statements from each policy document and build a single one.

Example code could be found in this github repository.

这篇关于AWS Cognito用户池JavaScript SDK获取用户的策略文档的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！