IAM允许访问一种dynamoDB方法，但不能使用javascript访问AWS的另一种方法 [英] IAM Gives access to one dynamoDB method but not another using javascript to AWS

问题描述

我对Cognito角色定义了以下策略

I have the following policy defined on a Cognito role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2: NUMBER:table/myapplication_product"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

如您所见，它应该允许访问GetItem，UpdateItem和Scan，但是我发现只有Scan才有效。尝试使用GetItem会导致：

As you can see, it should allow access to GetItem, UpdateItem and Scan, but I'm finding that only Scan works. An attempt to use GetItem results in:

https://dynamodb.ap-southeast-2.amazonaws.com/ 400 (Bad Request)
Error: User: arn:aws:sts:: NUMBER:assumed-role/Cognito_XXXXX_IDUnauth_Role/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-southeast-2:NUMBER:table/myapplication_product(…)

我已经设置：

AWS.config.region = 'ap-northeast-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'ap-northeast-1:SECRET_UUID',
});

AWS.config.apiVersions = {
    dynamodb: '2012-08-10',
};

this.dynamodb = new AWS.DynamoDB({region: "ap-southeast-2"});

那么为什么一种方法起作用而另一种方法不起作用？

So why does one method work and not another?

EDIT

我想我也应该详细说明正在进行的实际查询。

I thought I should also detail the actual queries being made.

这是基本的扫描；可以显示所有产品

This is the Scan, its basical;ly to display all products

Store.prototype.getAllProducts = function(callback) {
    var params = {
        TableName: 'myapplication_product',
    };
    this.dynamodb.scan(params, callback); 
}

这是GetItem：

Store.prototype.getProduct = function (sku, callback) {
    var params = {
        TableName: 'stonesandpearls_product',
        Key: { 
            sku: { S: sku }
        },    
    };
    this.dynamodb.getItem(params, callback);
}

如果我只是使用：

AWS.config.update({accessKeyId: 'MY_SECRET_ID', secretAccessKey: 'MY_SECRET_ACCESS_KEY'});

这些查询有效，而不是CognitoIdentityCredentials。

rather than the CognitoIdentityCredentials, these queries work.

推荐答案

这里的事物。

看看您的策略，似乎您正在寻找身份级别的细粒度访问。如果需要，然后将扫描添加到策略中，则基本上可以对整个表进行任何身份访问。您应该只允许细粒度策略中的项目级操作。 用于细粒度访问控制的IAM角色对此进行了解释更多详情。

Looking at your policy, looks like you are looking for identity level fine grained access. If you want that and you add Scan to your policy, it basically gives any identity access to your full table. You should only allow item level operations in the fine grained policy. IAM roles for fine grained access control explains this in more details.

dynamodb：LeadingKeys 条件键将允许用户仅访问分区/哈希键值与其标识ID匹配的项目。您得到的错误表明，身份ID不是DynamoDB表中的哈希键，或者您在发出get或update项时未在DynamoDB查询中设置哈希键值。这也是扫描正常运行的原因，因为扫描查询不需要哈希键值。

dynamodb:LeadingKeys condition key will allows users to access only the items where the partition/hash key value matches their identity ID. The error you are getting indicates that either the identity id is not the hash key in your DynamoDB table or you are not setting the hash key value in your DynamoDB query when you issue a get or update item. This is the also the reason why Scan is working, because scan queries do not require a hash key value.

这篇关于IAM允许访问一种dynamoDB方法，但不能使用javascript访问AWS的另一种方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！