AWS AppSync-从ios客户端获取401s [英] aws appsync - getting 401s from ios client

问题描述

因此，当我从aws控制台运行查询时，一切正常.但是，在我的iOS客户端上，我只会收到401错误.

So when i run queries from the aws console, things work great. However on my iOS client, i only get 401 errors.

我正在使用本教程和cognito身份验证中的基本代码:

I'm using the basic code from the tutorial and cognito auth:

    credentialsProvider = AWSCognitoCredentialsProvider(regionType: AWSRegion, identityPoolId: CognitoIdentityPoolId)

    let databaseURL = URL(fileURLWithPath:NSTemporaryDirectory()).appendingPathComponent(database_name)

    do {
        // Initialize the AWS AppSync configuration
        let appSyncConfig = try AWSAppSyncClientConfiguration(url: AppSyncEndpointURL, serviceRegion: AWSRegion, credentialsProvider: credentialsProvider!, databaseURL:databaseURL)

        // Initialize the AppSync client
        appSyncClient = try AWSAppSyncClient(appSyncConfig: appSyncConfig)

        // Set id as the cache key for objects
        appSyncClient?.apolloClient?.cacheKeyForObject = { $0["id"] }
    }
    catch {
        NSLog("Error initializing appsync client. \(error)")
    }

我尝试在ui中挂上cognito登录，这似乎确实使我登录了，但是我仍然从appsync客户端收到401错误.

I've tried hooking up the cognito sign in ui, which does seem to sign me in, but I still get 401 errors from the appsync client.

注意:使用基于apikey的身份验证也可以正常工作-但此项目需要使用cognito.

NOTE: using apikeybased auth also works fine - but cognito is needed for this project.

任何帮助将不胜感激，我正在为此努力奋斗.

Any help would be appreciated, I'm banging my head on this one.

推荐答案

您是否对允许调用您的AWS AppSync API的Cognito身份池的IAM角色有内联策略?它应该看起来像这样:

Do you have an inline policy on the IAM role for that Cognito Identity Pool that allows calls to your AWS AppSync API? It should look something like this:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "appsync:GraphQL"
         ],
         "Resource": [
            "arn:aws:appsync:us-west-2:123456789012:apis/YourGraphQLApiId/*"
         ]
      }
   ]
}

您需要根据设置池的方式，在已身份验证"和/或未身份验证"的认知角色"上进行设置.您可以在此处找到IAM策略的更多详细信息: AppSync安全指南-AWS_IAM授权

You'll need to set this on the Authenticated and/or UnAuthenticated Cognito Role depending on how you setup your pool. More details of the IAM policies can be found here: AppSync Security Guide - AWS_IAM Authorization

其他答案

最好为您的设置平整一些设置.首先转到AWS AppSync控制台，并为您的API单击左侧的设置"选项卡，然后选择 AWS身份和访问管理(IAM)作为授权类型.单击保存.然后在您的桌面上安装awsmobile CLI:

It might be a good idea to level set some things for your setup. First go to the AWS AppSync console and for your API click the Settings tab on the left and select AWS Identity and Access Management (IAM) as the Authorization Type. Click Save. Then on your desktop install the awsmobile CLI:

npm install -g awsmobile-cli

接下来进入本地应用程序项目目录，对其进行初始化，然后通过user-signin功能添加Cognito:

Next go into your local application project directory, initialize it and add in Cognito via the user-signin feature:

cd ./my-project
awsmobile init                #select defaults
awsmobile user-signin enable

这将创建&使用AWS Mobile Hub自动为您配置新的Cognito用户池和Cognito身份池.它还会设置正确的IAM策略，但是此时它没有配置AppSync策略，您需要手动执行.

This will create & configure a new Cognito User Pool and Cognito Identity Pool automatically for you with AWS Mobile Hub. It will also setup correct IAM policies however at this time it doesn't configure AppSync policy and you will need to do that manually.

打开IAM控制台，然后单击左侧的角色".在搜索框中，键入您使用上述awsmobile CLI创建的项目的名称.其中一个角色将具有_auth_MOBILEHUB前缀，而一个角色将具有_unauth_MOBILEHUB.根据您是登录还是仅以未经身份验证的状态使用Cognito，客户端将在运行时担当以下角色之一.选择该角色(或同时选择两个角色)，然后单击添加内联策略，然后单击JSON选项卡.输入以下政策(仅供测试):

Open the IAM console and click Roles on the left hand side. In the search box type in the name of the project you created with the awsmobile CLI above. One of the roles will have a prefix of _auth_MOBILEHUB and one will have _unauth_MOBILEHUB. Depending on if you're logging in or just using Cognito in an unauthenticated state, the client will assume one of these roles at runtime. Select that role (or do this for both) and click Add inline policy and then the JSON tab. Enter in the below policy (JUST FOR TESTING):

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "appsync:GraphQL"
         ],
         "Resource": [
            "*"
         ]
      }
   ]
}

现在，如果仍然出现401错误，则服务设置中除了客户端之外还有其他问题，您可能想在AWS支持下打开故障单.但是，如果这现在可以正常工作，那么您应该对此IAM策略进行限制，以使它不会那么宽松.我还建议对身份验证的用户使用限制性更强的策略.

Now if you're still getting 401 errors there is something else afoot in your service setup other than the client and you might want to open a ticket with AWS support. If however this is working now then you should make restrictions to this IAM policy so that it's not so permissive. I also recommend using a more restrictive policy for authenticated users.

这篇关于AWS AppSync-从ios客户端获取401s的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！