Cognito / IAM政策与放大器; S3找对象 [英] Cognito/IAM Policies & S3 Get Object

问题描述

我想S3和Cognito融入我的iOS应用，到目前为止还没有成功。我相信错误是连接到我的IAM策略验证和未授权的用户。因此，这里是我的策略：

I'm trying to integrate S3 and Cognito into my iOS App, so far not successfully. I believe the error is connected to my IAM Policy for Auth and Unauth users. So here's my policy:

{
  "Version": "2012-10-17",
  "Statement":
   [{
    "Effect":"Allow",
    "Action":"cognito-sync:*",
    "Resource":["arn:aws:cognito-sync:us-east-1:XXXXXXXXXXXX:identitypool/${cognito-identity.amazonaws.com:aud}/identity/${cognito-identity.amazonaws.com:sub}/*"]
  },
  {
      "Effect":"Allow",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::my_bucket",
                   "arn:aws:s3:::my_bucket/*"]
  }
 ]
}

这里是我打电话S3：

here is where I call S3:

    AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init];
    getObjectRequest.key = KEY;
    getObjectRequest.bucket = BUCKET;

    //default service has been configured previously
    AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration];

    [[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) {
        if(task.error)
        {
            NSLog(@"Error: %@",task.error);
        }
        else
        {
            NSLog(@"Got File");
            NSData *data = [task.result body];
            NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
            NSURL *url = [[NSURL alloc] initWithString:urlString];
            if ([[UIApplication sharedApplication] canOpenURL:url]) {
                [[UIApplication sharedApplication] openURL:url];
            }

        }
        return nil;
    }];

和这里是错误：

错误：错误域= com.amazonaws.AWSSTSErrorDomain code = 0AccessDenied - 无权执行STS：AssumeRoleWithWebIdentity的UserInfo = 0x10a23e0a0 {NSLocalizedDescription = AccessDenied - 无权执行STS：AssumeRoleWithWebIdentity}

Error: Error Domain=com.amazonaws.AWSSTSErrorDomain Code=0 "AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity" UserInfo=0x10a23e0a0 {NSLocalizedDescription=AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity}

那么，我究竟做错了什么？

So, what am I doing wrong?

推荐答案

您所遇到的错误

Not authorized to perform sts:AssumeRoleWithWebIdentity

在您的信任政策，是因为一个错误，不是你的访问策略。

Is due to an error in your trust policy, not your access policy.

这是被创建为Cognito安装向导的一部分的作用？你有没有以任何方式修改中的作用？由Cognito控制台创建的角色被固定到它与创造的具体身份池。请确保您使用的是与你的应用程序正在使用的身份池创建的角色。

Is this the role that was created as part of the Cognito setup wizard? Did you modify the role in any way? The role created by the Cognito console is pinned to the specific identity pool it was created with. Make sure you are using the role that was created with the identity pool you are using in your application.

这篇关于Cognito / IAM政策与放大器; S3找对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！