如何从Lambda访问认知联合身份中的身份数据集 [英] How to access dataset of an identity in cognito federated identities from lambda
问题描述
让我从我要实现的目标的总体描述开始.我正在使用Lambda,Cognito(联合身份),API网关等构建无服务器API.我正在使用aws_iam作为API网关中的授权者.在某些端点中,我需要访问例如用户电子邮件或用户名或其他内容,以便可以将其发送回响应中(也包括未发出请求的用户的数据).我想我正在寻找对身份池的某种管理员"访问权限,以便我可以基于cognitoIdentityId检索数据.
Let me start with the overall description of what I'm trying to achieve. I'm building a serverless API using Lambda, Cognito (Federated Identities), API Gateway etc. I'm using aws_iam as the authorizer in API Gateway. In some endpoints, I need to access for example user e-mail or username or whatever so I can send it back in the response (also data of users who did not make the request). I guess I'm looking for some kind of "admin" access to the identity pool so I can retrieve data based on cognitoIdentityId.
现在,在我的情况下,此数据存储在Cognito的数据集中.问题是,如何从Lambda函数(node.js)访问此数据?这是个好方法吗?我应该使用别的东西代替数据集吗?哪里有可行的示例?
Now in my case, this data is stored in a dataset in Cognito. The question is, how can I access this data from my Lambda function (node.js)? Is this a good approach at all? Should I use something else instead of datasets? Is there a working example somewhere?
如有必要,我很乐意提供更多详细信息.
I will be happy to provide more details if necessary.
谢谢
编辑#1:
这是我的lambda函数的代码:
here is the code of my lambda function:
module.exports.getDataSet = (event, context, callback) => {
console.log("event: " + JSON.stringify(event));
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: IDENTITY_POOL_ID
});
try {
AWS.config.credentials.get(function() {
var client = new AWS.CognitoSync();
var params = {
DatasetName: 'userinfo',
IdentityId: event.requestContext.identity.cognitoIdentityId,
IdentityPoolId: IDENTITY_POOL_ID
};
client.listRecords(params, function (err, data) {
if (err) {
console.log(JSON.stringify(err));
} else {
console.log(data);
}
});
});
} catch (ex) {
callback(ex);
}
};
这是我在调用listRecords时在err中得到的内容:
and this is what i get in err when calling listRecords:
{
"message": "Missing credentials in config",
"code": "CredentialsError",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666,
"originalError": {
"message": "Could not load credentials from CognitoIdentityCredentials",
"code": "CredentialsError",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666,
"originalError": {
"message": "Unauthenticated access is not supported for this identity pool.",
"code": "NotAuthorizedException",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666
}
}
}
{
"message": "Missing credentials in config",
"code": "CredentialsError",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666,
"originalError": {
"message": "Could not load credentials from CognitoIdentityCredentials",
"code": "CredentialsError",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666,
"originalError": {
"message": "Unauthenticated access is not supported for this identity pool.",
"code": "NotAuthorizedException",
"time": "2017-05-26T08:42:39.298Z",
"requestId": "46712a9b-41ef-11e7-9e3c-074afafb3349",
"statusCode": 400,
"retryable": false,
"retryDelay": 21.688148977111666
}
}
}
编辑#2:
通过移除解决
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: IDENTITY_POOL_ID
});
从代码中添加AmazonCognitoReadOnly策略到调用lambda的角色中.
from the code and adding the AmazonCognitoReadOnly policy to the role that invokes the lambda.
推荐答案
首先,您需要Lambda函数知道调用者的Cognito身份. 请求API Gateway中的上下文包含Cognito ID,您可以将该ID放入发送到Lambda函数的有效负载中,或者使用Lambda代理集成并自动将其包含在内.
First, you need the Cognito identity of the caller to be known to the Lambda function. The request context in API Gateway includes the Cognito id, which you can put into the payload that is sent to the Lambda function, or use the Lambda proxy integration and have it included automatically.
一旦您在Lambda中拥有了Cognito ID,就可以使用它从Cognito Sync中检索关联的数据集.您可以使用IAM策略,例如 AmazonCognitoReadOnly ,以授予Lambda函数调用Cognito Sync上的ListRecords API的权限(使您可以访问数据集).
Once you have the Cognito id in the Lambda, you can use it to retrieve an associated dataset from Cognito Sync. You can use an IAM policy like AmazonCognitoReadOnly to give your Lambda function permission to call the ListRecords API on Cognito Sync (which gives you access to the dataset).
这篇关于如何从Lambda访问认知联合身份中的身份数据集的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
