AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} 策略变量访问被拒绝 [英] AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} Policy Variable Access Denied
问题描述
我正在尝试使用传输管理器从特定于用户的文件夹中将文件从 AWS S3 下载到我的 iOS 移动应用程序,如下所示:
I am trying to download a file from AWS S3 to my iOS mobile app from a folder that is specific to the user, using Transfer Manager, like so:
@IBAction func download() {
let transferManager = AWSS3TransferManager.default()!
let downloadingFileURL = URL(fileURLWithPath: NSTemporaryDirectory()).appendingPathComponent("disney1.jpg")
let downloadRequest = AWSS3TransferManagerDownloadRequest()!
downloadRequest.bucket = "sidestreamx"
// user's UUID/disney1
downloadRequest.key = "631d121f-b294-4318-b3cd-36b3b74ebdff/disney1"
downloadRequest.downloadingFileURL = downloadingFileURL
transferManager.download(downloadRequest).continue(with: AWSExecutor.mainThread(), with: {
(task: AWSTask<AnyObject>) -> Any? in
if let error = task.error as? NSError {
// handle error
return nil
}
self.imageView.image = UIImage(contentsOfFile: downloadingFileURL.path)
return nil
})
}
我的 IAM 角色权限策略如下,来自 此 AWS 文档:
My IAM role permission policy is the following, gotten from this AWS doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetBucketListIfRequestIsForUser",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sidestreamx"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${cognito-identity.amazonaws.com:sub}/*"
]
}
}
},
{
"Sid": "S3GetObjects",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::sidestreamx/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
我得到的回应是
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>E1F205B58EF4A670</RequestId>
<HostId>dUWI8PfVZL3mJmykjhXRqvFd1yt/CqDFNlwgwD3kmLk2vrMBP6JvVgezMYSROt3KyE3dx0+3eDE=</HostId>
</Error>
用户通过 AWS Cognito 用户池进行身份验证Cognito 联合身份.我已经调试并提取了 JWT 令牌,并看到 sub = "631d121f-b294-4318-b3cd-36b3b74ebdff"
.我什至使用 Charles 来查看请求/响应.
The user is authenticated via AWS Cognito User Pool & Cognito Federated Identities. I've debugged and extracted the JWT token, and seen that the sub = "631d121f-b294-4318-b3cd-36b3b74ebdff"
. I've even used Charles to see the Request/Response.
如果我用 在最后一个语句
获取 S3GetObjects
中替换 ${cognito-identity.amazonaws.com:sub}
>631d121f-b294-4318-b3cd-36b3b74ebdffarn:aws:s3:::sidestreamx/631d121f-b294-4318-b3cd-36b3b74ebdff/*
.第一个语句可以继续使用策略变量,它仍然可以工作.如果我完全删除第一个语句,它将起作用!当我将策略变量添加到最后一个语句时,它开始崩溃.
It does work if I replace ${cognito-identity.amazonaws.com:sub}
in the last statement S3GetObjects
with 631d121f-b294-4318-b3cd-36b3b74ebdff
to get arn:aws:s3:::sidestreamx/631d121f-b294-4318-b3cd-36b3b74ebdff/*
. The first statement can continue having the policy variable and it'll still work. It'll work if I remove the first statement altogether! It's when I add the policy variable to the last statement where it starts to breakdown.
我已经检查了这个堆栈溢出问题和这个,无济于事.所以是的,我不知道.我已经在这工作了将近 9 个工时,所以任何帮助都会真诚地感谢.
I've checked out this Stack Overflow question and this one, to no avail. So yea, I don't know. I've been at this for almost over 9 man hours, so any help would sincerely be appreciatd.
推荐答案
问题已解决.事实证明,${cognito-identity.amazonaws.com:sub}
并没有真正引用 JWT 令牌中的 sub
.它引用来自凭证提供者的 IdentityID:
Problem solved. Turns out, ${cognito-identity.amazonaws.com:sub}
doesn't really refer to the sub
in the JWT token. It refers to IdentityID from the credentialsProvider:
(AWSServiceManager.default().defaultServiceConfiguration.credentialsProvider
as! AWSCognitoCredentialsProvider).getIdentityId()
.continue({task -> Any? in
print("Credentials ID is (task.result!)")
return nil
})
我在bucket中手动创建了一个文件夹,名称等于task.result!
(格式为us-east-1:XXXXXXXXXXXXXXXXXX
仅供参考),它奏效了.
I manually made a folder in my bucket with the name equal to task.result!
(which is in the format of us-east-1:XXXXXXXXXXXXXXXXXX
fyi), and it worked.
这篇关于AWS S3 Transfer Manager ${cognito-identity.amazonaws.com:sub} 策略变量访问被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!