AWS API网关-如何进行S3 Cognito用户池限制的文件夹访问?
[英]AWS API gateway - how to do S3 Cognito userpool-restricted folder access?
问题描述
My application uses Cognito user pools to restrict access so that each user may access their own personal folder read/write in a "private" bucket. 
我的应用程序使用Cognito用户池来限制访问,以便每个用户都可以在“专用”存储桶中读取/写入自己的个人文件夹。 In a "public" bucket it is the same, except that everyone has read access to everything and write access only to their own folder. 在“公共”存储桶中,它是相同的,只是每个人都具有对所有内容的读取访问权限,而仅对自己文件夹的写入权限。 This all works fine when accessed via the JavaScript S3 SDK. 通过JavaScript S3 SDK访问时,一切正常。
I am now trying to implement access via the API Gateway talking to a Lambda function which accesses S3. 我现在正尝试通过与访问S3的Lambda函数交谈的API网关来实现访问。
The problem is that it appears that the Cognito Userpool identity is not being used by the Lambda function. 问题是Lambda函数似乎没有使用Cognito用户池标识。 If I give the Lambda function role total S3 access then the function is able to access S3 fine and the function works. 如果我将Lambda函数角色授予S3总访问权限,则该函数可以正常访问S3,并且该函数可以正常工作。 If however I have the role policies in place to restrict by Cognito Userpool ID as described above, the I get access denied. 但是,如果如上所述,我有适当的角色策略受Cognito Userpool ID限制,则会拒绝访问。
It appears to me that the Userpool Cognito Identity is not what the Lambda function is using. 在我看来,Userpool Cognito身份不是Lambda函数正在使用的身份。
Can anyone suggest the correct configuration for this setup? 谁能为该设置建议正确的配置?
thanks 谢谢
1 个解决方案
解决方案1
0 2017-03-07 03:29:23
API Gateway and Lambda do not automatically support this use case. API Gateway和Lambda不会自动支持此用例。
The Lambda function is running with the identity of it's execution role, thus its context won't contain the identity attributes from the Cognito user pool. Lambda函数以其执行角色的身份运行,因此其上下文将不包含来自Cognito用户池的身份属性。 (The context object in the Lambda function contains the context from Lambda's perspective.) (Lambda函数中的上下文对象从Lambda的角度来看包含上下文。)
API Gateway exposes the Cognito user pool identity information via $context.authorizer.claims variable within API Gateway. API网关通过API网关中的$ context.authorizer.claims变量公开Cognito用户池标识信息。 To access this information from within your Lambda function, you must modify your body mapping template in API Gateway to pass the desired data from $context.authorizer.claims to your Lambda function via the request body. 要从Lambda函数中访问此信息,必须在API Gateway中修改主体映射模板,以将所需数据从$ context.authorizer.claims通过请求主体传递到Lambda函数。 You're Lambda function then reads this information from the request body like any other field. 然后,您就是Lambda函数,就像其他任何字段一样,从请求正文中读取此信息。
In this scenario there is no mechanism to automatically restrict permissions to S3 buckets/object on a per Cognito-user basis. 在这种情况下,没有机制可以根据每个Cognito用户自动将权限限制到S3存储桶/对象。 You could implement logic within your Lambda function to enforce it using custom code. 您可以在Lambda函数中实现逻辑以使用自定义代码强制实施。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.