如何使用boto3从AWS Cognito获取经过身份验证的身份响应 [英] How to get authenticated identity response from AWS Cognito using boto3
问题描述
我想使用boto3获得访问AWS服务的临时凭证。用例是这样的:Cognito用户池中的用户登录到服务器,并且我希望服务器代码为该用户提供访问其他AWS服务的临时凭证。
我有一个存储用户的Cognito用户池。我有一个Cognito身份池,它不允许未经授权的访问,只能由用户从Cognito用户池进行访问。
所以这是我开始的代码:
import boto3
client = boto3.client('cognito-identity','us-west-2')
resp = client.get_id(AccountId ='< ACCNTID>',
IdentityPoolId ='< IDPOOLID>')
但是,仅运行以下三行代码会引发异常:
botocore.errorfactory。 NotAuthorizedException:调用
的GetId操作时发生错误
(NotAuthorizedException):此身份池不支持未经身份验证的访问
。
由于我的Cognito身份池未设置为未经身份验证的访问,因此似乎无法调用get_id,直到我以某种方式进行身份验证。
我该如何解决?
更新:我似乎需要做些什么才能验证身份?
UPDATE:看来我需要将Logins字段和数据传递给get_id函数调用,但是为此,我需要登录JWT令牌。如果我在使用AWS Cognito预打包登录屏幕的Web应用程序(例如Django后端)中运行此程序,则可以,从成功登录重定向后,我可以从主页URL上获取此信息。但是现在我正在编写一些与网站无关的测试脚本。有没有办法使用boto或boto3或其他一些python软件包使用用户名和密码登录并获取JWT令牌?
要传递Cognito用户池JWT令牌,您需要在 GetId API调用中使用 Logins Map 。替换必要的占位符后,可以尝试以下Python代码。
response = client.get_id(
AccountId ='string',
IdentityPoolId ='string',
Logins = {
'cognito-idp。< region> .amazonaws.com /< YOUR_USER_POOL_ID>'::'< JWT ID令牌>'
}
)
如果您未提供登录映射,则Amazon Cognito会将身份验证事件视为未经身份验证,因此您正面临这个错误。
I would like to use boto3 to get temporary credentials for access AWS services. The use case is this: A user in my Cognito User Pool logs in to my server and I want the server code to provide that user with temporary credentials to access other AWS services.
I have a Cognito User Pool where my users are stored. I have a Cognito Identity Pool that does NOT allow unauthorized access, only access by users from the Cognito User Pool.
So here is the code I am starting with:
import boto3
client = boto3.client('cognito-identity','us-west-2')
resp = client.get_id(AccountId='<ACCNTID>',
IdentityPoolId='<IDPOOLID>')
However, just running these three lines of code throws an exception:
botocore.errorfactory.NotAuthorizedException: An error
occurred (NotAuthorizedException) when calling
the GetId operation: Unauthenticated access is not
supported for this identity pool.
Since my Cognito Identity Pool is not set up for unauthenticated access, it seems that I cannot call get_id until I somehow authenticate somewhere.
How do I solve this? What exactly do I need to do to authenticate so I can call get_id?
UPDATE: Looks like I need to pass a Logins field and data to the get_id function call, but to do that I need the login JWT token. If I am running this inside a webapp (eg a Django backend) where I use the AWS Cognito prepackaged login screens, then yes I can get this from the homepage URL after redirection from successful login. But now I am writing some test scripts that have nothing to do with a website. Is there a way to use boto or boto3 or some other python package to login with username and password and get JWT token?
To pass the Cognito User Pool JWT Token, you would need to use the Logins Map in the GetId API call. You could try the following Python code out on your end, after replacing the necessary placeholders.
response = client.get_id(
AccountId='string',
IdentityPoolId='string',
Logins={
'cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>': '<JWT ID Token>'
}
)
If you do not provide a Logins Map, Amazon Cognito treats the authentication event as Unauthenticated, and hence, you are facing this error.
这篇关于如何使用boto3从AWS Cognito获取经过身份验证的身份响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
