[英]AWS Cognito iOS Developer Authenticated Identities
I am trying to use amazon cognito with developer authenticated identities. 我正在尝试使用amazon cognito与开发人员身份验证身份。 My API is successfully returning an id and token.
我的API成功返回了id和令牌。 However, when I use these tokens to upload content to S3 I receive the following error:
但是,当我使用这些令牌将内容上传到S3时,我收到以下错误:
Not authorized to perform sts:AssumeRoleWithWebIdentity
Below is my code for setting up the credentials provider. 以下是我设置凭据提供程序的代码。
ZGAWSIdentityProvider *identityProvider = [ZGAWSIdentityProvider new];
[identityProvider setIdentityPoolId:AWS_IDENTITY_POOL_ID];
AWSCognitoCredentialsProvider *credentialsProvider = [[AWSCognitoCredentialsProvider alloc]
initWithRegionType:AWSRegionUSEast1
identityProvider:identityProvider
unauthRoleArn:AWS_UNAUTH_ROLE_ARN
authRoleArn:AWS_AUTH_ROLE_ARN];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSWest1
credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
And I am using the template provided at http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#create-an-identity-pool-that-supports-developer-authenticated-identities to create the identity provider. 我正在使用http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#create-an-identity-pool-that-supports-developer-authenticated-identities提供的模板创建身份提供者。
@implementation ZGAWSIdentityProvider
@synthesize identityPoolId=_identityPoolId;
@synthesize identityId=_identityId;
@synthesize token=_token;
- (BFTask *)getIdentityId {
// Should ensure that identityId property is valid. The below code can probably
// be used for most use cases.
if (self.identityId) {
return [BFTask taskWithResult:nil];
} else {
return [[BFTask taskWithResult:nil] continueWithBlock:^id(BFTask *task) {
if (!self.identityId) {
return [self refresh];
}
return nil;
}];
}
}
- (BFTask *)refresh {
BFTaskCompletionSource *task = [BFTaskCompletionSource taskCompletionSource];
__weak __typeof(self)weakSelf = self;
[[ZGAccountController sharedInstance] getAWSCredentialsWithCompletion:^(NSDictionary *credentials) {
if (credentials && [credentials objectForKey:@"identity_id"] && [credentials objectForKey:@"identity_id"]) {
__strong __typeof(weakSelf)strongSelf = weakSelf;
strongSelf.identityId = [credentials objectForKey:@"identity_id"];
strongSelf.token = [credentials objectForKey:@"token"];
[task setResult:nil];
} else {
NSError *error = [NSError errorWithDomain:@"com.##.##" code:-1 userInfo:nil];
[task setError:error];
}
}];
return task.task;
}
@end
It appears to be an issue with Role Trust. 它似乎是Role Trust的一个问题。 I created the identity pool using the amazon web interface and have double checked that the identity pool id is correct.
我使用亚马逊网络界面创建了身份池,并仔细检查了身份池ID是否正确。 I have been able to successfully upload w unauthenticated identities, so I believe is not a role permissions issue.
我已经能够成功上传未经身份验证的身份,因此我认为这不是角色权限问题。
Sorry for all the trouble. 对不起,所有的烦恼。
There is a small issue with how the identity provider and credentials provider interact that is not properly documented or handled well. 身份提供者和凭证提供者如何进行交互并没有正确记录或处理得很好。 The credentials provider pivots using the unauth or auth role arn based on whether or not there are logins attached on the provider.
凭证提供程序根据是否在提供程序上附加登录名来使用unauth或auth角色arn进行转发。 If you aren't storing any additional logins on the provider, it will treat it as unauthenticated and use the unauth role and result in the STS error you are seeing.
如果您没有在提供程序上存储任何其他登录名,则会将其视为未经身份验证并使用unauth角色并导致您看到的STS错误。 You can work around this by doing something like the following in your identity provider's refresh:
您可以通过在身份提供者的刷新中执行以下操作来解决此问题:
// add login to the map to make sure CredentialsProvider treats us as authenticated
NSMutableDictionary *temp = [NSMutableDictionary dictionaryWithDictionary:self.logins];
[temp setObject:@"temp" forKey:@"myprovider"];
self.logins = temp;
Update 2015-03-10 : You may want to consider looking at our end-to-end example for a better method for handling this. 更新2015-03-10 :您可能需要考虑查看我们的端到端示例,以获得更好的处理方法。
This the sample, we include the the actual values for the user identifier, then pass the entire contents of the logins
property to the backend. 这个示例,我们包含用户标识符的实际值,然后将
logins
属性的全部内容传递给后端。
If you're successfully able to do this while unauthenticated, there are a few possibilities here. 如果您在未经身份验证的情况下成功完成此操作,则此处有一些可能性。
First of all, make sure your unauthenticated role arn is different from your authenticated role arn. 首先,确保您的未经身份验证的角色arn与您的身份验证角色arn不同。 Additionally, ensure that, in the trust policy (accessible via the appropriate role from this link ), the amr points to "authenticated".
此外,确保在信任策略中(可通过此链接中的相应角色访问),amr指向“已验证”。
If you have any other questions, this blog post goes over the process at a high level. 如果您还有其他任何问题,请参阅此博客文章 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.