如何将 DynamoDB 细粒度访问控制与 Cognito 用户池结合使用? [英] How to use DynamoDB fine grained access control with Cognito User Pools?
问题描述
在使用 Cognito 用户池登录时,我无法理解如何在 DynamoDB 上使用细粒度访问控制.我已经按照文档搜索并搜索,但由于某种原因,我似乎无法让它正常工作.
I'm having trouble understanding how to use fine-grained access control on DynamoDB when logged in using Cognito User Pools. I've followed the docs and googled around, but for some reason I can't seem to get it working.
下面列出了我的 AWS 设置.如果我删除角色策略中的条件,我可以毫无问题地获取和放置项目,因此条件似乎是问题所在.但我不知道如何或在哪里调试依赖于经过身份验证的身份的策略 - 哪些变量可用,它们的值是什么等等.
My AWS setup is listed below. If I remove the condition in the role policy, I can get and put items no problem, so it seems likely that the condition is the problem. But I can't figure out how or where to debug policies that depend on authenticated identities - what variables are available, what are their values, etc etc.
任何帮助将不胜感激!
DynamoDB 表
- 表名:文档
- 主分区键:userID(字符串)
- 主排序键:docID(字符串)
DynamoDB 示例行
{
"attributes": {},
"docID": "0f332745-f749-4b1a-b26d-4593959e9847",
"lastModifiedNumeric": 1470175027561,
"lastModifiedText": "Wed Aug 03 2016 07:57:07 GMT+1000 (AEST)",
"type": "documents",
"userID": "4fbf0c06-03a9-4cbe-b45c-ca4cd0f5f3cb"
}
Cognito 用户池用户
- 用户状态:已启用/已确认
- MFA 状态:已禁用
- 子:4fbf0c06-03a9-4cbe-b45c-ca4cd0f5f3cb
- email_verified:真实
RoleName"的角色政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-2:NUMBER:table/documents"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
从 cognitoUser.getUserAttributes() 返回的登录信息
attribute sub has value 4fbf0c06-03a9-4cbe-b45c-ca4cd0f5f3cb
attribute email_verified has value true
attribute email has value ****@****com
错误信息
Code: "AccessDeniedException"
Message: User: arn:aws:sts::NUMBER:assumed-role/ROLE_NAME/CognitoIdentityCredentials is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-southeast-2:NUMBER:table/documents
推荐答案
策略变量 "${cognito-identity.amazonaws.com:sub}" 不是您从中获得的用户子Cognito 用户池.实际上,当您将 Cognito 用户池中的用户与联合身份服务联合时,由 Cognito 联合身份服务生成的用户身份 ID.
The policy variable "${cognito-identity.amazonaws.com:sub}" is not the user sub which you get from Cognito user pools. It is in fact the identity id of a user which is generated by the Cognito Federated Identity service when you federate a user from Cognito User Pools with Federated identity service.
由于 "${cognito-identity.amazonaws.com:sub}" 中的值永远不会匹配您在 DynamoDB 行中的值,因此它会因 AccessDenied 而失败.为此,Dynamo 条目中的 userId 实际上应该是身份 ID,而不是 sub.目前,IAM 策略变量与 Cognito 用户池服务之间没有直接联系.
Since, the value in "${cognito-identity.amazonaws.com:sub}" never matches what you have in your DynamoDB row, it fails with AccessDenied. For this to work, the userId in your Dynamo entry should actually be the identity id, not sub. Currently, there is no direct link between IAM policy variables and Cognito User Pools service.
这里有一些文档链接可能会有所帮助.
1. 具有 Cognito 联合身份服务的 IAM 角色
2. 集成具有 Cognito 联合身份服务的用户池
Here are some doc links which might help.
1. IAM roles with Cognito Federated Identity Service
2. Integrating User Pools with Cognito Federated Identity Service
这篇关于如何将 DynamoDB 细粒度访问控制与 Cognito 用户池结合使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
