堆栈内存溢出
  简体   繁体   English

AWS 用户无权通过显式拒绝访问此资源

[英]AWS User is not authorized to access this resource with an explicit deny

 原文  2019-08-31 22:03:04       node.js/ reactjs/ amazon-web-services/ auth0/ serverless

问题描述

I am deploying a serverless app on AWS and have some issues while trying to access my serverless application from the frontend.我正在 AWS 上部署一个无服务器应用程序,在尝试从前端访问我的无服务器应用程序时遇到了一些问题。 I have an impression that the issue is with the backend and more specifically with the serverless.yml configuration file (See first lines of codes below) or rather with my auth0Authorizer.ts file (see second lines of codes below).我的印象是问题出在后端,更具体地说是 serverless.yml 配置文件(参见下面的第一行代码),或者我的 auth0Authorizer.ts 文件(参见下面的第二行代码)。 When I log into my frontend app, I receive a 403 error message that says User is not authorized to access this resource with an explicit deny .当我登录到我的前端应用程序时,我收到一条 403 错误消息,指出User is not authorized to access this resource with an explicit deny I really doubt if this related any on configuration on AWS.我真的怀疑这是否与 AWS 上的任何配置有关。

    org: name
app: serverless-todo-app-app
service:
  name: serverless-todo-app
package:
  individually: true

plugins:
  - serverless-webpack
  - serverless-iam-roles-per-function
  - serverless-reqvalidator-plugin
  - serverless-aws-documentation

provider:
  name: aws
  runtime: nodejs8.10
  stage: ${opt:stage, 'dev'}
  region: ${opt:region, 'us-west-1'}

  tracing: true

  environment:
    TODOS_TABLE: Todos-v4-${self:provider.stage}
    USER_ID_INDEX: UserIdIndex
    SIGNED_URL_EXPIRATION: 300 
    IMAGES_S3_BUCKET: 'severless-todo-app-bucket-v1-${self:provider.stage}'
    DYNAMODB_TABLE: TableName 
    TableName: ${self:provider.environment.TODOS_TABLE}
    AUTH_0_SECRET: ***********************************
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:Scan
        - dynamodb:PutItem
        - dynamodb:GetItem
        - codedeploy:*
        - xray:PutTelemetryRecords
        - xray:PutTraceSegments
      Resource:
        - '*'
    - Effect: Allow
      Action:
        - s3:GetObject
        - xray:PutTelemetryRecords
        - xray:PutTraceSegments     
      Resource: arn:aws:s3:::${self:provider.environment.IMAGES_S3_BUCKET}/*

custom:
  documentation:
    api:
      info:
        version: v1.0.0
        title: Udagram API
        description: Serverless application
    models:
      - name: TodoRequest
        contentType: application/json
        schema: ${file(models/create-todo-request.json)}


functions:

  Auth:
    handler: src/lambda/auth/auth0Authorizer.handler

  # TODO: Configure this function
  GetTodos:
    iamRoleStatements:
      - Effect: Allow
        Action:
          - dynamodb:Query
          - dynamodb:GetItem
        Resource: arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.TODOS_TABLE}

    handler: src/lambda/http/getTodos.handler
    events:
      - http:
          authorizer: Auth
          method: get
          path: todos
          cors: true


  # TODO: Configure this function
  CreateTodo:
    handler: src/lambda/http/createTodo.handler
    iamRoleStatements:
      - Effect: Allow
        Action:
          - dynamodb:PutItem
          - xray:PutTelemetryRecords
          - xray:PutTraceSegments
        Resource: arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.TODOS_TABLE}
    events:
      - http:
          authorizer: Auth
          method: post
          path: todos
          cors: true
          reqValidatorName: RequestBodyValidator
          documentation:
            summary: Create a new todo
            description: Create a new todo
            requestModels:
              'application/json': TodoRequest
  # TODO: Configure this function
  UpdateTodo:
    handler: src/lambda/http/updateTodo.handler
    iamRoleStatements:
      - Effect: Allow
        Action:
          - dynamodb:UpdateItem
          - xray:PutTelemetryRecords
          - xray:PutTraceSegments
        Resource: arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.TODOS_TABLE}

    events:
      - http:
          authorizer: Auth
          method: patch
          path: todos/{todoId}
          cors: true
  # TODO: Configure this function
  DeleteTodo:
    handler: src/lambda/http/deleteTodo.handler
    iamRoleStatements:
      - Effect: Allow
        Action:
          - dynamodb:DeleteItem
        Resource: arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.TODOS_TABLE}

    events:
      - http:
          authorizer: Auth
          method: delete
          path: todos/{todoId}
          cors: true

  # TODO: Configure this function
  GenerateUploadUrl:
    handler: src/lambda/http/generateUploadUrl.handler
    iamRoleStatements:
      - Effect: Allow
        Action:
          - s3:PutObject
          - s3:GetObject
          - xray:PutTelemetryRecords
          - xray:PutTraceSegments
        Resource: arn:aws:s3:::${self:provider.environment.IMAGES_S3_BUCKET}/*
      - Effect: Allow
        Action:
          - dynamodb:PutItem
          - dynamodb:GetItem
          - dynamodb:UpdateItem
        Resource: arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.TODOS_TABLE}

    events:
      - http:
          authorizer: Auth
          method: post
          path: todos/{todoId}/attachment
          cors: true

resources:
  Resources:
    # TODO: Add any necessary AWS resources
    AttachmentsBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:provider.environment.IMAGES_S3_BUCKET}
        CorsConfiguration:
          CorsRules:
            -
              AllowedOrigins:
                - '*'
              AllowedHeaders:
                - '*'
              AllowedMethods:
                - GET
                - PUT
                - POST
                - DELETE
                - HEAD
              MaxAge: 0

    BucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        PolicyDocument:
          Id: MyPolicy
          Version: "2012-10-17"
          Statement:
            - Sid: PublicReadForGetBucketObjects
              Effect: Allow
              Principal: '*'
              Action: 's3:GetObject'
              Resource: 'arn:aws:s3:::${self:provider.environment.IMAGES_S3_BUCKET}/*'
        Bucket: !Ref AttachmentsBucket


    GatewayResponseDefault4XX:
      Type: AWS::ApiGateway::GatewayResponse
      Properties:
        ResponseParameters:
          gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
          gatewayresponse.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
          gatewayresponse.header.Access-Control-Allow-Methods: "'GET,OPTIONS,POST'"
        ResponseType: DEFAULT_4XX
        RestApiId:
          Ref: ApiGatewayRestApi

    RequestBodyValidator:
      Type: AWS::ApiGateway::RequestValidator
      Properties:
        Name: 'request-body-validator'
        RestApiId:
          Ref: ApiGatewayRestApi
        ValidateRequestBody: true
        ValidateRequestParameters: false

    TodosDynamoDBTable:
      Type: AWS::DynamoDB::Table
      Properties:
        AttributeDefinitions:
          - AttributeName: todoId
            AttributeType: S
          - AttributeName: userId
            AttributeType: S
        KeySchema:
          - AttributeName: userId
            KeyType: HASH
          - AttributeName: todoId
            KeyType: RANGE
        BillingMode: PAY_PER_REQUEST
        TableName: ${self:provider.environment.TODOS_TABLE}
        GlobalSecondaryIndexes:
          - IndexName: ${self:provider.environment.USER_ID_INDEX}
            KeySchema:
            - AttributeName: userId
              KeyType: HASH

            Projection:
              ProjectionType: ALL

import { CustomAuthorizerEvent, CustomAuthorizerResult, CustomAuthorizerHandler } from 'aws-lambda'
import 'source-map-support/register'
import { verify } from 'jsonwebtoken'
import { JwtToken } from '../../auth/JwtToken'

const auth0Secret = process.env.AUTH_0_SECRET
export const handler: CustomAuthorizerHandler = async (event: CustomAuthorizerEvent): Promise<CustomAuthorizerResult> => {
  try {
    const decodedToken = verifyToken(event.authorizationToken)
    console.log('User was authorized')

    return {
      principalId: decodedToken.sub,
      policyDocument: {
        Version: '2012-10-17',
        Statement: [
          {
            Action: 'execute-api:Invoke',
            Effect: 'Allow',
            Resource: '*'
          }
        ]
      }
    }
  } catch (e) {
    console.log('User was not authorized', e.message)

    return {
      principalId: 'user',
      policyDocument: {
        Version: '2012-10-17',
        Statement: [
          {
            Action: 'execute-api:Invoke',
            Effect: 'Deny',
            Resource: '*'
          }
        ]
      }
    }
  }
}

function verifyToken(authHeader: string): JwtToken {
  if (!authHeader)
    throw new Error('No authentication header')

  if (!authHeader.toLowerCase().startsWith('bearer '))
    throw new Error('Invalid authentication header')

  const split = authHeader.split(' ')
  const token = split[1]

  return verify(token, auth0Secret) as JwtToken
}

1 个解决方案

解决方案1
 0  2021-12-12 16:44:28

When AWS says explicit Deny that means somewhere in the chain of IAM policies, there was a Deny for that action.当 AWS 说明确拒绝表示 IAM 策略链中的某个位置时,该操作有一个拒绝。 In this case the only policy is the session policy that your authorizer Lambda provides.在这种情况下,唯一的策略是您的授权方 Lambda 提供的会话策略。 As @hephalump mentioned in the comments and according to your code it happens when there was an error, so check the logs to see what needs to be done.正如评论中提到的@hephalump 并根据您的代码,它会在出现错误时发生,因此请检查日志以查看需要做什么。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无权访问此资源/API (GCP) - Not Authorized To Access This Resource/API (GCP) 为什么 changeResourceRecordSets 无权访问此资源? - Why changeResourceRecordSets gets not authorized to access this resource? 用户无权执行:dynamodb:PutItem on resource - User is not authorized to perform: dynamodb:PutItem on resource 用户:anonymous 无权对资源执行:es:ESHttpPost: - User: anonymous is not authorized to perform: es:ESHttpPost on resource: 拒绝后重新提示用户访问相机 - RePrompt user for camera access after deny 尝试访问目录api时无权访问此资源/ api - Not Authorized to access this resource/api while trying to access directory api 无服务器调用错误:“无权执行:资源上的 dynamodb:BatchWriteItem:arn:aws:...” - Serverless invoke error: "is not authorized to perform: dynamodb:BatchWriteItem on resource: arn:aws:..." users.list返回403错误:未获得访问此资源/ api的权限 - users.list returns 403 Error: Not Authorized to access this resource/api AccessDeniedException:用户无权对资源执行 dynamodb BatchWriteItem:表 - AccessDeniedException: User is not authorized to perform dynamodb BatchWriteItem on resource: table 如何通过单击浏览器中的后退按钮来修复用户对授权页面的访问 - How to fix user access to authorized pages by click on backward button in browsers
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM