[英]Unauthenticated access to AWS services using Cognito
I am trying to write a simple JavaScript (running in browser), that will get information about my Beanstalk applications with describeApplications function. 我正在尝试编写一个简单的JavaScript(在浏览器中运行),它将通过describeApplications函数获取有关我的Beanstalk应用程序的信息。 I've created Cognito Identity Pool with unauthenticated access checkbox set and attached AWSElasticBeanstalkReadOnlyAccess policy to the Role of Identity Pool. 我创建了具有未认证访问复选框的Cognito身份池,并将AWSElasticBeanstalkReadOnlyAccess策略附加到身份池的角色。
Here is the code: 这是代码:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.134.0.min.js"></script>
<script>
AWS.config.region = 'eu-west-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:....',
});
var elasticbeanstalk = new AWS.ElasticBeanstalk();
elasticbeanstalk.describeApplications({}, function (err, data) {
if (err) {
console.log(err);
console.log(err.stack);
} else {
console.log(data);
}
});
Here is the output in console: 这是控制台中的输出:
{ResponseMetadata: {…}, Applications: Array(0)}
Applications array is empty! 应用程序数组为空! But I definitely have applications in eu-west-1 region. 但是我肯定在eu-west-1地区有应用。
To make a simple test I created a user, attached same policy and hard coded user credentials instead of CognitoIdentityCredentials: 为了进行简单测试,我创建了一个用户,附加了相同的策略和硬编码的用户凭据,而不是CognitoIdentityCredentials:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.134.0.min.js"></script>
<script>
AWS.config.region = 'eu-west-1'; // Region
AWS.config.accessKeyId = '...';
AWS.config.secretAccessKey = '...';
var elasticbeanstalk = new AWS.ElasticBeanstalk();
elasticbeanstalk.describeApplications({}, function (err, data) {
if (err) {
console.log(err);
console.log(err.stack);
} else {
console.log(data);
}
});
And voila, I see my beanstalk applications: 瞧,我看到了我的beantalk应用程序:
{ResponseMetadata: {…}, Applications: Array(1)}
I have done other tests. 我做了其他测试。 I tried to list S3 buckets with unauth. 我试图列出带有未认证的S3存储桶。 access and Cognito - it also works. 访问和Cognito-它也可以。 That means my unauth. 这意味着我的未认证。 role is properly attached and applied. 角色已正确附加和应用。 But I have no idea, why I see no applications in beanstalk! 但是我不知道为什么在beantalk中看不到任何应用程序!
What am I doing wrong with unauthenticated access and Cognito? 未经身份验证的访问和Cognito,我在做什么错? Any help will be really appreciated! 任何帮助将不胜感激!
Update! 更新!
Thanks Mike Patrick for pointing to the right direction! 感谢Mike Patrick指出正确的方向! https://stackoverflow.com/a/46820122/1858818 https://stackoverflow.com/a/46820122/1858818
I switched to basic authentication flow and that was it. 我切换到基本身份验证流程,仅此而已。 Here is the working piece of code: 这是工作代码:
AWS.config = {
apiVersions: { elasticbeanstalk: '2010-12-01' },
region: 'eu-west-1',
credentials: new AWS.WebIdentityCredentials({
RoleArn: 'my role arn'
})
};
var cognitoidentity = new AWS.CognitoIdentity(),
elasticbeanstalk = new AWS.ElasticBeanstalk();
var params = {
IdentityPoolId: 'my cognito identity pool id', /* required */
};
cognitoidentity.getId(params, function(err, data) {
if (err){
console.log(err, err.stack); // an error occurred
} else {
var params = {
IdentityId: data.IdentityId
};
cognitoidentity.getOpenIdToken(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
} else {
AWS.config.credentials.params.WebIdentityToken = data.Token;
//here we go, elasticbeanstalk functions work as expected
}
});
}
});
I'm not convinced you're doing anything wrong; 我不认为您做错了什么; I was also unable to make this work. 我也无法完成这项工作。 I suspect you may be a victim of Amazon "protecting" you from yourself. 我怀疑您可能是亚马逊“保护”您自己的受害者。
From http://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html under "Access Policies": 在http://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html中的 “访问策略”下:
For additional security protection, Amazon Cognito applies a scope-down policy to credentials vended by GetCredentialForIdentity to prevent access to services other than these to your unauthenticated users : 为了提供额外的安全保护,Amazon Cognito将范围缩小策略应用于GetCredentialForIdentity出售的凭证,以防止未经身份验证的用户访问除这些服务以外的其他服务 :
... list of services that does NOT include Elastic Beanstalk ... ...不包括Elastic Beanstalk的服务列表...
If you need access to something other than these services for your unauthenticated users, you must use the basic authentication flow. 如果您需要未经身份验证的用户访问除这些服务以外的其他内容,则必须使用基本身份验证流程。
This seems to suggest that regardless of what policies you attach to your Cognito Unauthenticated role, AWS is going to "scope it down". 这似乎表明,无论您对Cognito未经身份验证的角色附加了哪些策略,AWS都将对其进行“检查”。
If this is the case, you'd like to see some evidence of a NotAuthorizedException
(often in a response header), but I couldn't find any. 如果是这样的话,你想看到的一些证据NotAuthorizedException
(通常在响应报头),但我找不到任何。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.