来自Android的AWS DynamoDB访问,拒绝访问表 [英] AWS DynamoDB access from Android, access denied to table
问题描述
我正在尝试在NoSQL DynamoDB上执行CRUD操作,我最初并未将CognitoPool与我在AWS Mobile Hub上的项目集成在一起,但是我没有做到这一点,而是将我的json文件替换为我的"raw"目录中的项目.数据库是完全公开的,无论是读写,但由于某种原因,我一直收到此错误:
I'm trying to do CRUD operations on a NoSQL DynamoDB, I originally had not integrated a CognitoPool with my project on the AWS Mobile Hub but I have no done that and replaced my json file in the "raw" directory in my project. The DB is completely public both read and write but for some reason I keep getting this error:
com.amazonaws.AmazonServiceException: User: arn:aws:sts::1234567890:assumed-role/shoppinglist_unauth_MOBILEHUB_1234567890/CognitoIdentityCredentials is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1:1234567890:table/ShoppingLists (Service: AmazonDynamoDB; Status Code: 400; Error Code: AccessDeniedException; Request ID: BQ0HAP7PUGO6AUC04LOHUND1V3VV4KQNSO5AEMVJF66Q9ASUAAJG)
出于安全原因,我已将所有标识号更改为1234567890.
I've changed all the identifying numbers to 1234567890 for security reasons.
这是我的.json文件:
This is my .json file:
{
"UserAgent": "MobileHub/1.0",
"Version": "1.0",
"CredentialsProvider": {
"CognitoIdentity": {
"Default": {
"PoolId": "us-east-1******************,
"Region": "us-east-1"
}
}
},
"IdentityManager": {
"Default": {}
},
"CognitoUserPool": {
"Default": {
"PoolId": "us-east-1_*******",
"AppClientId": "5lg571jsd60ruvair8jiqpefbs",
"AppClientSecret": "bqn8edlp19gfgogfhf4j9qg1mq8u8ftpb328f652n0451gl2dnt",
"Region": "us-east-1"
}
},
"DynamoDBObjectMapper": {
"Default": {
"Region": "us-east-1"
}
},
"PinpointAnalytics": {
"Default": {
"AppId": "27e0f3ee2e63419c9dc8f18f23a294fe",
"Region": "us-east-1"
}
},
"PinpointTargeting": {
"Default": {
"Region": "us-east-1"
}
}
}
这是我主要活动类中的onCreate()方法
This is my onCreate() method in my main activity class
AWSMobileClient.getInstance().initialize(this, awsStartupResult ->
Log.d("YourMainActivity", "AWSMobileClient is instantiated and you are connected to AWS!"))
.execute();
// Instantiate a AmazonDynamoDBMapperClient
AmazonDynamoDBClient dynamoDBClient = new AmazonDynamoDBClient(AWSMobileClient.getInstance().getCredentialsProvider());
this.dynamoDBMapper = DynamoDBMapper.builder()
.dynamoDBClient(dynamoDBClient)
.awsConfiguration(AWSMobileClient.getInstance().getConfiguration())
.build();
Runnable runnable = () -> {
dbClient = new AmazonDynamoDBClient(AWSMobileClient.getInstance().getCredentialsProvider());
// Create a table reference
dbTable = Table.loadTable(dbClient, "ShoppingLists");
Document memo = new Document();
memo.put("Apple", "apple");
dbTable.putItem(memo);
};
Thread myThread = new Thread(runnable);
myThread.start();
我的build.gradle应该包含正确的依赖关系,这些依赖关系就在这里,因为这可能有点混乱:
My build.gradle should hold the correct dependencies, those are here, granted it may be a bit of a mess:
implementation fileTree(include: ['*.jar'], dir: 'libs')
implementation 'com.android.support:appcompat-v7:27.1.1'
implementation 'com.android.support.constraint:constraint-layout:1.1.0'
testImplementation 'junit:junit:4.12'
androidTestImplementation 'com.android.support.test:runner:1.0.1'
androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.1'
implementation 'com.android.support:recyclerview-v7:27.1.1'
implementation ('com.amazonaws:aws-android-sdk-mobile-client:2.6.+@aar') { transitive = true }
implementation 'com.amazonaws:aws-android-sdk-core:2.6.18'
implementation 'com.amazonaws:aws-android-sdk-s3:2.6.18'
implementation 'com.amazonaws:aws-android-sdk-ddb:2.6.18'
implementation 'com.amazonaws:aws-android-sdk-ddb-mapper:2.6.18'
compile 'com.amazonaws:aws-android-sdk-core:2.6.18'
compile 'com.amazonaws:aws-android-sdk-ddb:2.6.18'
compile 'com.amazonaws:aws-android-sdk-ddb-document:2.4.4'
// Mobile Client for initializing the SDK
implementation ('com.amazonaws:aws-android-sdk-mobile-client:2.6.+@aar') { transitive = true }
// Cognito UserPools for SignIn
implementation 'com.android.support:support-v4:27.1.1'
implementation ('com.amazonaws:aws-android-sdk-auth-userpools:2.6.+@aar') { transitive = true }
// Sign in UI Library
implementation 'com.android.support:appcompat-v7:27.1.1'
implementation ('com.amazonaws:aws-android-sdk-auth-ui:2.6.+@aar') { transitive = true }
据我所知这应该工作正常,在这里,另一位乐于助人的人帮助我到达了它可以连接到AWS的地步,但实际上我似乎无法访问它.桌子.
As far as I can tell this should work fine, I was helped by another helpful person here to get to the point where it would connect to AWS which it did do at one point but I just can't seem to access the table.
我想我有两个问题,是否可以完全不使用Cognito池而只是完全不安全地执行此操作?如果没有,我如何使它与Cognito Pool一起使用?认知池是否应该具有与其关联的用户名?
I guess I have two questions, is it possible to do this without a Cognito pool at all and just have it completely unsecure? And if not, how do I get this to work with the Cognito Pool? Should the cognito pool have user names associated with it?
推荐答案
让我努力回答您的问题
1)您可以在没有Cognito身份池的情况下执行此操作吗?答案是肯定的.这并不意味着它是不安全的-您可以使用为IAM用户设置的AWS凭证.但是,最佳实践是使用Cognito身份池,它将为您提供在短时间内有效的临时AWS凭证.
1) Can you do this without a Cognito Identity pool? The answer is Yes. This doesn't automatically mean that it is insecure - you can use AWS credentials that you setup for an IAM user. The best practice, however, is to use Cognito Identity pool, which will give you temporary AWS credentials that are valid for a short amount of time.
2)创建Cognito身份池时,将自动创建两个角色(名为auth和unauth). "auth"角色用于您具有登录用户的情况(例如,使用诸如Facebook之类的社交登录名登录并通过身份池联合到AWS的情况),而"unauth"角色用于以下情况:尚未登录.您可以使用IAM策略微调这些角色的访问权限,以最适合您的应用程序需求.
2) When you create a Cognito Identity pool, two roles (named auth and unauth) are automatically created. The "auth" role is for the cases where you have a signed in user ( for example, signed in using a social login like Facebook and federated to AWS through the Identity pool) and the "unauth" role is for a user who hasn't yet signed in. You can fine-tune the access privileges for these roles using IAM policies to best suit your application's needs.
See this page (https://docs.aws.amazon.com/aws-mobile/latest/developerguide/how-to-nosql-integrate-an-existing-table.html) for specific instructions on how to get this working.
这篇关于来自Android的AWS DynamoDB访问,拒绝访问表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
