用户通过cognito身份验证后,如何通过用户凭据访问s3存储桶?
[英]How do i pass the user credential to access s3 bucket once user is authenticated by cognito?
问题描述
I am using javascript sdk in node env and want to be able to assign a "key"/folder per user. 
我在节点env中使用javascript sdk,希望能够为每个用户分配“密钥” /文件夹。 I am able to authenticate and get a token with cognito. 我可以进行身份验证并使用cognito获得令牌。 However with the following rules set I get a access denied. 但是,设置以下规则后,我的访问被拒绝。 How do I actually pass the credentials on to access the users object? 我实际上如何将凭据传递给访问用户对象?
Policy is as follows in IAM: IAM中的策略如下:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*" ], "Resource": [ "arn:aws:s3:::myBucket", "arn:aws:s3:::myBucket/*" ], "Condition": { "StringLike": { "s3:prefix": [ "${aws:username}/*" ] } } } ] }
1 个解决方案
解决方案1
1 已采纳 2019-03-20 17:36:42
Your policy is wrong. 您的政策有误。
Here is how to fix it: Once you have cognito setup in AWS console, you will get two roles, auth cognito role and unauth. 修复方法如下:在AWS控制台中设置了认知功能后,您将获得两个角色,即身份验证角色和身份验证。 Go to the auth role in IAM and resource to look something like this... 转到IAM和资源中的auth角色,看起来像这样...
"Resource": [ "arn:aws:s3:::mybucket/Users/${cognito-identity.amazonaws.com:sub}",] “资源”:[“ arn:aws:s3 ::: mybucket / Users / $ {cognito-identity.amazonaws.com:sub}”,]
The cognito identity: sub part is what ties the folder to the authenticated user. 认知身份:子部分是将文件夹与经过身份验证的用户相关联的部分。
Then in node, when you do put or get just use the same key but where this is -- ${cognito-identity.amazonaws.com:sub pass the identityID of the user. 然后在节点中,当您放置或获取时仅使用相同的密钥,但是在此位置-$ {cognito-identity.amazonaws.com:sub传递用户的身份ID。 I am not sure how to get the identityID from AWS console, but you can definitely get it using the cli. 我不确定如何从AWS控制台获取identityID,但是您绝对可以使用cli获取它。 Just check out the cognito api section to see how to get the identityID. 只需查看cognito api部分,以了解如何获取identityID。
Hope that helps. 希望能有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.