Cognito / S3用户特定策略
[英]Cognito / S3 User Specific Policies
问题描述
I am using the AWS SDK for Android alongside Cognito to authenticate users (via Login With Amazon) to my AWS resources. 
我正在使用AWS SDK for Android和Cognito来验证用户(通过使用Amazon登录)到我的AWS资源。 What I am attempting to do is to setup an S3 bucket like so: 我试图做的是设置一个S3桶,如下所示:
./my-bucket
├── first_user@email.com
└── second_user@email.com
So, the my-bucket bucket will have folders based on the user's e-mail address. 因此, my-bucket桶将具有基于用户电子邮件地址的文件夹。
My first stab to setup the policy was as such: 我第一次尝试制定政策是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/${www.amazon.com:user_id}",
"arn:aws:s3:::my-bucket/${www.amazon.com:user_id}/*"
]
}
]
}
As a test, I am trying to download a folder for a user like so: 作为测试,我试图为用户下载一个文件夹,如下所示:
final Map logins = new HashMap();
logins.put("www.amazon.com", token);
credentialsProvider.withLogins(logins);
final TransferManager transferManager = new TransferManager(credentialsProvider);
MultipleFileDownload download = transferManager.downloadDirectory("my-bucket", "first_user@email.com", new File("/sdcard/Download"));
However, when I run this I get a "Forbidden" exception. 但是,当我运行它时,我得到一个“禁止”的例外。 If I modify the policy to explicitly reference first_user@email.com rather than ${www.amazon.com:user_id} it works fine. 如果我修改策略以明确引用first_user@email.com而不是${www.amazon.com:user_id}它可以正常工作。
Question 题
- Is this even possible to be able to use the LWA user's e-mail address to configure it like this? 这甚至可以使用LWA用户的电子邮件地址来配置它吗?
- Is there a way to log actually what parameters are happening when I make a request? 有没有办法在我提出请求时实际记录发生的参数?
I've seen references like this but I'm not sure which ones actually apply. 我见过像这样的引用,但我不确定哪些实际适用。 It would be fantastic if I were somehow able to see what values are coming across when I make a request. 如果我以某种方式能够看到我提出请求时遇到的值,那将是非常棒的。
Thanks in advance. 提前致谢。
1 个解决方案
解决方案1
2 已采纳 2014-09-05 18:07:15
In answer to your questions: 在回答你的问题时:
- No it is not possible to do this with Cognito or web identity federation with just Login with Amazon. 使用Amazon登录时,使用Cognito或Web身份联合是不可能的。 The identifiers returned in this flow are pseudo-anonymous. 此流程中返回的标识符是伪匿名的。 Cognito IDs will be of the form us-east-1:abcd-123456-xxxxx-xxxxx-xxxx . Cognito ID的格式为us-east-1:abcd-123456-xxxxx-xxxxx-xxxx 。 If you use Login with Amazon directly, the IDs would be of the form amzn-1234567890 . 如果您直接使用“登录亚马逊”,则ID的格式为amzn-1234567890 。
- The IDs vended from Cognito are available on the credentials provider by simply calling the getIdentityId method. 只需调用getIdentityId方法,凭据提供程序即可从Cognito中获得ID。 If you are using the raw web identity federation flow, the AssumeRoleWithWebIdentityResult class contains the values for the provider, application/audience and user id. 如果您使用的是原始Web联合身份验证流,则AssumeRoleWithWebIdentityResult类包含提供者,应用程序/受众和用户ID的值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.