无权执行STS:AssumeRoleWithWebIdentity AWS S3 Cognito身份验证失败 [英] Not authorized to perform sts:AssumeRoleWithWebIdentity AWS s3 Cognito auth failure
问题描述
我有一个简单的iOS应用程序,上传到S3。我试图未授权的所有around-尽管地理位置优越,我想要做的Facebook。
2 IAM角色(使用向导创建)。该IAM AUTH策略(未授权的角色):
{
版本:2012年10月17日,
声明: [{
行动: [
mobileanalytics:PutEvents
cognito同步:*
]
效果:允许,
资源:
*
]
},
{
效果:允许,
行动: [
S3:PutObject
S3:GetObject的,
S3:DeleteObject
]
资源:ARN:AWS:S3 ::: [mybucketname] / *
}
]
}
我constants.h文件(洗涤):
的#define AWSID @[12位数字]
#定义PoolID @美东 - 1:长身份证号码]
#定义CRUnauth @ARN:AWS:IAM :: [ID民]:角色/ Cognito_Auth_DefaultRole
#定义CRAuth @ARN:AWS:IAM :: [ID民]:角色/ Cognito_auth_DefaultRole
我appDelegate.m文件中有这样的:
credentialsProvider = [AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1帐户ID:AWSID identityPoolId:PoolID unauthRoleArn:CRUnauth authRoleArn:无]
AWSServiceConfiguration *配置= [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1
credentialsProvider:credentialsProvider]。
[AWSServiceManager defaultServiceManager] .defaultServiceConfiguration =配置;
我做credentialsProvider一个属性,因为我需要添加Facebook登录在一些点。
我只是上传束图像进行测试。在我的viewController:
如果([app.fb_token长度] 0){
app.credentialsProvider.logins = @ {@(AWSCognitoLoginProviderKeyFacebook):app.fb_token};
}
AWSS3TransferManager * transferManager = [AWSS3TransferManager defaultS3TransferManager]
的UIImage *图像= [UIImage的imageNamed:@yayDot];
NSArray的*路径= NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,
NSUserDomainMask,是);
的NSString * documentsDirectory = [路径objectAtIndex:0];
的NSString *路径= [documentsDirectory stringByAppendingPathComponent:
@yayDot.png];
的NSData *数据= UIImagePNGRe presentation(图像);
[数据将writeToFile:路径原子:YES];
AWSS3TransferManagerUploadRequest * uploadRequest = [AWSS3TransferManagerUploadRequest新]
uploadRequest.body = [NSURL URLWithString:路径]。
uploadRequest.key = @yayDot.png;
uploadRequest.bucket = thebucket;
[AWSLogger defaultLogger] .logLevel = AWSLogLevelVerbose;
[transferManager上传:uploadRequest] continueWithBlock:^ ID(BFTask *任务){
//做一些与响应
的NSLog(@的结果:%@,task.result);
回零;
}];
完全错误:
AWSURLResponseSerialization.m线:258 | - [AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:数据:错误:] |响应头:[{
内容长度= 299;
内容类型=为text / xml;
日子=星期二,2015年1月27日18点54分17秒格林尼治标准时间;
X-AMZN-的requestId=XXXXX;
}]
2015年1月27日10:54:18.052 AWSiOSSDKv2 [冗长] AWSURLResponseSerialization.m线:263 | - [AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:数据:错误:] |响应正文:[< ErrorResponse的xmlns =https://sts.amazonaws.com/doc/2011-06-15/>
<错误>
<类型>发件人< /型号>
< code取代; AccessDenied< / code取代;
<消息>无权执行STS:AssumeRoleWithWebIdentity< /消息>
< /错误>
<请求ID>为XXXXX< /请求ID>
< / ErrorResponse>
]
2015年1月27日10:54:18.059 lookyloo [20024:332664] AWSiOSSDKv2 [错误] AWSCredentialsProvider.m线:587 | __40- [AWSCognitoCredentialsProvider刷新] _block_invoke356 |无法刷新。错误是[错误域= com.amazonaws.AWSSTSErrorDomain code = 0的操作无法完成。(com.amazonaws.AWSSTSErrorDomain错误0。)的UserInfo = 0x7d936310 {类型=发件人,邮件=不授权执行STS:AssumeRoleWithWebIdentity,__TEXT =(
\ N,
\ N,
\ N,
\ N
),code = AccessDenied}]
看着你的code,它看起来像你正在使用的验证的作用 ARN:AWS:IAM :: [ ID民]:角色/ Cognito_Auth_DefaultRole 如您未授权的角色。默认情况下亚马逊Cognito创建角色,只有信任特定类型的访问(非认证和认证)的,因此有未经验证的访问尝试时,STS错误。 <一href="http://mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies"相对=nofollow>这个博客帖子越过政策的信任和理解Cognito如何使用它们。
切换到简化的构造应该有固定的这个给你,除非你也做了AWS控制台内同样的关联。关联在控制台中的角色,让你无法嵌入你的应用程序中的角色。
另外,如果你想用一个水桶的美国标准区域之外,你需要改变这一行:
AWSServiceConfiguration *配置= [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1
credentialsProvider:credentialsProvider]。
要体现区域水桶所在。
I have a simple iOS app that uploads to s3. I'm trying unauth all around- even though ideally I want to do Facebook.
2 IAM Roles (created using the wizard). The IAM auth policy (for unauth role):
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::[mybucketname]/*"
}
]
}
My constants.h file (scrubbed):
#define AWSID @"[12 digit num]"
#define PoolID @"us-east-1:[long id number]"
#define CRUnauth @"arn:aws:iam::[id num]:role/Cognito_Auth_DefaultRole"
#define CRAuth @"arn:aws:iam::[id num]:role/Cognito_auth_DefaultRole"
My appDelegate.m file has this:
credentialsProvider = [AWSCognitoCredentialsProvider credentialsWithRegionType:AWSRegionUSEast1 accountId:AWSID identityPoolId:PoolID unauthRoleArn:CRUnauth authRoleArn:nil];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1
credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
I made credentialsProvider a property since I need to add the Facebook login at some point.
I'm simply uploading a bundle image to test this. In my viewController:
if([app.fb_token length] > 0){
app.credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyFacebook): app.fb_token };
}
AWSS3TransferManager *transferManager = [AWSS3TransferManager defaultS3TransferManager];
UIImage *image = [UIImage imageNamed:@"yayDot"];
NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory,
NSUserDomainMask, YES);
NSString *documentsDirectory = [paths objectAtIndex:0];
NSString* path = [documentsDirectory stringByAppendingPathComponent:
@"yayDot.png" ];
NSData* data = UIImagePNGRepresentation(image);
[data writeToFile:path atomically:YES];
AWSS3TransferManagerUploadRequest *uploadRequest = [AWSS3TransferManagerUploadRequest new];
uploadRequest.body = [NSURL URLWithString:path];
uploadRequest.key = @"yayDot.png";
uploadRequest.bucket = thebucket;
[AWSLogger defaultLogger].logLevel = AWSLogLevelVerbose;
[[transferManager upload:uploadRequest] continueWithBlock:^id(BFTask *task) {
// Do something with the response
NSLog(@"result: %@", task.result);
return nil;
}];
Full error:
AWSURLResponseSerialization.m line:258 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{
"Content-Length" = 299;
"Content-Type" = "text/xml";
Date = "Tue, 27 Jan 2015 18:54:17 GMT";
"x-amzn-RequestId" = "xxxxx";
}]
2015-01-27 10:54:18.052 AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:263 | -[AWSXMLResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message>
</Error>
<RequestId>xxxxx</RequestId>
</ErrorResponse>
]
2015-01-27 10:54:18.059 lookyloo[20024:332664] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:587 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke356 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSSTSErrorDomain Code=0 "The operation couldn’t be completed. (com.amazonaws.AWSSTSErrorDomain error 0.)" UserInfo=0x7d936310 {Type=Sender, Message=Not authorized to perform sts:AssumeRoleWithWebIdentity, __text=(
"\n ",
"\n ",
"\n ",
"\n "
), Code=AccessDenied}]
looking at your code, it looks like you were using the "Auth" role arn:aws:iam::[id num]:role/Cognito_Auth_DefaultRole as your unauth role. By default Amazon Cognito creates roles that only trust the specific kind of access (unauthenticated and authenticated), hence the sts error when trying with unauthenticated access. This blog post goes over trust policies and understanding how Cognito uses them.
Switching to the simplified constructor should have fixed this for you, unless you also made the same association inside of the AWS console. Associating your roles in the console allows you to not embed your roles inside your application.
Also, if you want to use a bucket outside of the "US Standard" region, you would need to change this line:
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionSAEast1
credentialsProvider:credentialsProvider];
To reflect the region where the bucket resides.
这篇关于无权执行STS:AssumeRoleWithWebIdentity AWS S3 Cognito身份验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
