DynamoDB 细粒度访问控制:是否可以使用 ${cognito-identity.amazonaws.com:email}? [英] DynamoDB fine-grained access control: is it possible to use ${cognito-identity.amazonaws.com:email}?

查看:17
本文介绍了DynamoDB 细粒度访问控制:是否可以使用 ${cognito-identity.amazonaws.com:email}?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的用户有 Cognito 帐户.

My users have Cognito accounts.

根据 这篇文章我们可以使用这样的策略限制对 DynamoDB API 的访问:

According to this article we can restrict access to the DynamoDB API with policy like that:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb: <REGION>:<AWS_ACCOUNT_ID>:table/<TABLE>"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

当索引键是email(主排序键是utc)时,我的情况看起来很简单,所以我将上面的示例调整为这个:

Looks pretty straightforward for my case when index key is email (and primary sort key is utc), so I adjusted example above to this one:

    {
        "Effect": "Allow",
        "Action": "dynamodb:UpdateItem",
        "Resource": "arn:aws:dynamodb:us-east-1:123456789123:table/history",
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:email}"
                ],
                "dynamodb:Attributes": [
                    "email",
                    "utc",
                    "updated",
                    "isNew"
                ]
            }
        }

但我不断收到错误 AccessDeniedException: User: arn:aws:sts::9876543210:assumed-role/policyname/CognitoIdentityCredentials is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-east-1:123456789123:table/history.

我用 * 权限尝试了我的 js http 调用,它可以正常工作,所以只有这个策略才会陷入困境.

I tried my js http call with * permissions and it works, so pitfall only with this policy.

推荐答案

${cognito-identity.amazonaws.com:email} 不是有效的策略变量.它没有解析到您用户的电子邮件地址.

${cognito-identity.amazonaws.com:email} is not a valid policy variable. It's not resolving to your users' email addresses.

遗憾的是,像您一样的大多数开发人员会发现用户的电子邮件地址比使用 cognito-identity.amazonaws.com:subcognito-identity.amazonaws 更直观.com:aud.

It is a shame as most developers, like yourself, would find the users email address more intuitive than using cognito-identity.amazonaws.com:sub or cognito-identity.amazonaws.com:aud.

这篇关于DynamoDB 细粒度访问控制:是否可以使用 ${cognito-identity.amazonaws.com:email}?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆