如何使用Cognito Identity以信任关系指定Amazon AWS User Pool
[英]How to specify Amazon AWS User Pool in trust relationship with Cognito Identity
问题描述
I have AWS Cognito User Pool logins working, and I have a Federated Identity Pool with the User Pool connected and specified as the authentication provider in the console. 
我有AWS Cognito用户池登录工作,我有一个联合身份池,其中连接了用户池,并在控制台中指定为身份验证提供程序。
But now I am trying to get trust working between the Cognito User Pool and the Cognito Identity Pool. 但现在我正努力在Cognito用户池和Cognito Identity Pool之间建立信任。
In the code snippet below you can see my trust relationship for the unauthenticated role. 在下面的代码段中,您可以看到我对未经身份验证的角色的信任关系。 (The authenticated role version matches exactly at the moment, eventually it won't but I made them the same and gave both roles privileges in an attempt to see it work). (经过身份验证的角色版本目前完全匹配,最终它不会,但我将它们设置为相同并赋予两个角色特权以试图使其工作)。 xxxx is the CognitoIdentityId that is pre-filled, and yyyy is my account number and zzzz is the Cognito User Pool ID. xxxx是预填充的CognitoIdentityId,yyyy是我的帐号,zzzz是Cognito用户池ID。
I keep getting errors when I try to create the trust relationship and use the app. 当我尝试创建信任关系并使用应用程序时,我不断收到错误。 Here is the most common error: 这是最常见的错误:
getCredentialsWithCognito:authenticated:customRoleArn:]_block_invoke | GetCredentialsForIdentity failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=InvalidIdentityPoolConfigurationException, message=Invalid identity pool configuration. Check assigned IAM roles for this pool.}]
2016-08-29 21:50:11.634 signin[7778:1222711] AWSiOSSDK v2.4.7 [Error] AWSCredentialsProvider.m line:577 | __44-[AWSCognitoCredentialsProvider credentials]_block_invoke.352 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=InvalidIdentityPoolConfigurationException, message=Invalid identity pool configuration. Check assigned IAM roles for this pool.}]
The trust relationship: 信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxx”,
"cognito-idp.amazonaws.com:aud": "arn:aws:cognito-idp:us-east-1:yyyyyyyy:userpool/zzzzzzzzz”
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated",
"cognito-idp.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
Part of the problem may be that I don't understand the format of the "cognito-idp.amazonaws.com:aud": "cognito-idp.amazonaws.com:aud" line. 部分问题可能是我不理解“cognito-idp.amazonaws.com:aud”的格式:“cognito-idp.amazonaws.com:aud”这一行。 I suspect that I should be changing the format in some way or specifying a different domain of amazonaws.com as the aud, but I have tried a dozen combinations and failed. 我怀疑我应该以某种方式更改格式或指定amazonaws.com的不同域作为aud,但我已经尝试了十几种组合并且失败了。
So the question is: How to specify the trust relationship. 所以问题是:如何指定信任关系。
And a subsidiary question is: Is the idea that if my user authenticates with the user pool, and if the trust relationship is specified properly, that my user will take on the roles that specify that trust? 一个辅助问题是:如果我的用户使用用户池进行身份验证,并且如果正确指定了信任关系,那么我的用户是否会接受指定该信任的角色? Or does the user only take on one role somehow, and how is that role chosen by Cognito if multiple trust relationships exist? 或者用户是否仅以某种方式承担一个角色,如果存在多个信任关系,Cognito如何选择该角色?
1 个解决方案
解决方案1
0 已采纳 2016-09-01 19:34:25
There are three problems here in the trust relationship policy, 信任关系政策存在三个问题,
- "cognito-idp.amazonaws.com:aud" is not needed, this role is assumed by identity pool, user pool is just a provider, it's not relevant anymore 不需要“cognito-idp.amazonaws.com:aud”,这个角色由身份池承担,用户池只是一个提供者,它不再相关
- "cognito-idp.amazonaws.com:amr" is not needed 不需要“cognito-idp.amazonaws.com:amr”
- If this is an authenticated role, the amr should be authenticated instead of unauthenticated 如果这是经过身份验证的角色,则应该对amr进行身份验证而不是未经身份验证
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.