如何将Cognito用户池用户减少到S3存储桶中自己的文件夹?
[英]How to reduce a cognito userpool user to their own folder in S3 bucket?
问题描述
I am writing a basic react native app where users will be able to register themselves to an AWS cognito userpool and log in with that identity to store/retrieve their data from S3. 
我正在编写一个基本的react native应用程序,用户可以在其中注册自己到AWS Cognito用户池并使用该身份登录以从S3存储/检索其数据。 I only have one bucket and every user will have their own folder in that bucket. 我只有一个存储桶,每个用户在该存储桶中都有自己的文件夹。 How can I restrict each user to their own folder in that case. 在这种情况下,如何限制每个用户使用自己的文件夹。 Here is the scenario. 这是场景。
I created two users in the user pool. 我在用户池中创建了两个用户。
I then created a federated identity for my userpool. 然后,我为用户池创建了一个联合身份。 This federated identity has two IAM roles, authorized and unauthorized. 该联合身份具有两个IAM角色:授权和未授权。
I then added a policy to the auth role of federated identity. 然后,我向联合身份验证的auth角色添加了一个策略。
Here is my policy: 这是我的政策:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "arn:aws:s3:::mybucket/${cognito-identity.amazonaws.com:sub}/*" } ] }
I then tried to retrieve data from S3 using Javascript SDK and I could ListObjects from "album-b207a8df-58e8-49cf-ba1b-0b48b7252291" where "b207a8df-58e8-49cf-ba1b-0b48b7252291" is the sub of "madi" user. 然后,我尝试使用Javascript SDK从S3检索数据,并且可以从“ album-b207a8df-58e8-49cf-ba1b-0b48b7252291”中列出对象,其中“ b207a8df-58e8-49cf-ba1b-0b48b7252291”是“ madi”用户的子对象。 Why was "test2" able to list that object? 为什么“ test2”能够列出该对象?
1 个解决方案
解决方案1
0 2019-03-04 04:20:47
Can you provide a snippet of the onClick_Cognito_receiptsdumpAuth_Role.*** ?? 您能否提供onClick_Cognito_receiptsdumpAuth_Role的代码段。
My guess (without your logs) 我的猜测(没有您的日志)
is that your policy is probably good, but you might have a policy that grants list access to too much.
是因为您的策略可能不错,但是您可能有一项策略授予列表访问权限过多。 Your AWS class is being inited with your developer credentials (which might have full Admin)
正在使用开发人员凭证(可能具有完整的管理员)来初始化AWS类 - Cognito might have an issue and its worth logging a support ticket. Cognito可能有问题,值得记录支持记录。
Next steps I would try is 我要尝试的下一步是
You might have a action:List* or equivalent 您可能有一个action:List*或同等功能
Also best hidden secret (it's not really a secret) is the policy simulator . 策略模拟器也是最好的隐藏秘密(这不是真正的秘密)。 Test your policy against that and it will tell you if at least the policy is good and don't forget that iam policies are concatenated. 针对此测试您的策略,它将告诉您至少该策略是否正确,并且不要忘记iam策略已串联。
Lastly, if you can't figure out how the access is provided to the List Operation, you can enable CloudTrail to dump API logs to S3 and verify that the listobjects is being run by the cognito user you are expecting. 最后,如果您不知道如何提供对列表操作的访问权限,则可以使CloudTrail将API日志转储到S3并验证列表对象是否正在由您期望的认知用户运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.