[英]AWS Amplify - CognitoIdentityCredentials is not authorized to perform: sts:AssumeRole on resource
I have an Amplify App using Nuxt.我有一个使用 Nuxt 的 Amplify 应用程序。 When a user logs in via cognito the app tries to use STS to transfer to another role to get a QuickSight Dashboard Embed Url following this AWS blog post .当用户通过 cognito 登录时,该应用程序尝试使用 STS 转移到另一个角色,以在此 AWS 博客文章之后获取 QuickSight Dashboard Embed Url。
So I have a role with this policy:所以我在这个政策中有一个角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:us-west-2:xxxxxxxx:dashboard/xxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxxx",
"Effect": "Allow"
}
]
}
and I added this policy to my app-authenticated-role我将此策略添加到我的 app-authenticated-role
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxx:role/embed_role_name"
}
}
When they log in via cognito I attempt to assume the embed_role with STS当他们通过 cognito 登录时,我尝试使用 STS 承担 embed_role
with:和:
let params = {
RoleArn: QS_EMBED_ROLE,
RoleSessionName: "embedding-qs",
};
let sts = new AWS.STS();
sts.assumeRole(params, function (err, data) {
if (err) console.log(err, err.stack);
// an error occurred
else {
console.log(data);
}
});
I get this error:我收到此错误:
AccessDenied: User: arn:aws:sts::xxxxxxxxxx:assumed-role/app-authenticated-role/CognitoIdentityCredentials is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/embed_role AccessDenied:用户:arn:aws:sts::xxxxxxxxxx:assumed-role/app-authenticated-role/CognitoIdentityCredentials 无权执行:sts:AssumeRole on resource:arn:aws:iam::xxxxxxxxxxxxx:role/embed_role
It seems pretty straight-forward in the docs so I'm not sure if I'm just not understanding something.在文档中看起来很简单,所以我不确定我是否只是不理解某些东西。
Also, in the course of trying a million things I think I edited the Trust Relationships for both the app-authenticated-role and embed-role and am not sure if it matters one way or the other.此外,在尝试一百万件事的过程中,我认为我编辑了应用程序身份验证角色和嵌入角色的信任关系,但不确定它是否重要。
The app-authenticated-role trust policy is: app-authenticated-role 信任策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-2:xxxxxxxx-xxxxxx-xxxxxx-xxxx-xxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
and the embed_role trust policy is:并且 embed_role 信任策略是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-2:xxxxxxxx-xxxxxx-xxxxxx-xxxx-xxxxxxxx"
}
}
}
]
}
The reason this was not being authorized is because I needed to use the action未授权的原因是因为我需要使用该操作
"Action": "sts:AssumeRole"
in my policy for my app-authenticated-role trust policy instead of在我的应用程序身份验证角色信任策略的策略中,而不是
"Action": "sts:AssumeRoleWithWebIdentity"
Once that was replaced it worked as expected.更换后,它按预期工作。
If you are using a Cognito Identity Pool to map an authenticated user to an IAM role, then rather than call sts:AssumeRole
directly, you would normally use AWS.CognitoIdentityCredentials()
to get IAM credentials for your web identity.如果您将 Cognito 身份池用于 map 一个经过身份验证的用户到一个 IAM 角色,那么您通常会使用AWS.CognitoIdentityCredentials()
来获取您的 web 身份的 IAM 凭证,而不是直接调用sts:AssumeRole
。
This makes 2 calls behind the scenes.这在幕后打了 2 个电话。 Firstly, it uses the given Login (a JWT token from an Identity Provider such as Cognito User Pools, Facebook, Google, etc) to create a new identity, or retrieve an existing one.首先,它使用给定的登录名(来自身份提供者的 JWT 令牌,例如 Cognito 用户池、Facebook、Google 等)来创建新身份或检索现有身份。 Secondly, it will call sts:AssumeRoleWithWebIdentity
on your behalf and return IAM credentials.其次,它将代表您调用sts:AssumeRoleWithWebIdentity
并返回 IAM 凭证。
This is all described in the Cognito Identity Pool docs .这一切都在Cognito 身份池文档中进行了描述。
So your authenticated role trust policy would be:因此,您经过身份验证的角色信任策略将是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-2:xxxxxxxx-xxxxxx-xxxxxx-xxxx-xxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
which states that Cognito Identity can call STS to get credentials on behalf of a web identity.其中指出 Cognito Identity 可以调用 STS 以代表 web 身份获取凭据。
The permissions policy associated with that role would be:与该角色关联的权限策略将是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "arn:aws:quicksight:us-west-2:xxxxxxxx:dashboard/xxxx-xxxx-xxxxx-xxxx-xxxxxxxxxxxxx",
"Effect": "Allow"
}
]
}
plus whatever other permissions your web user should have.加上您的 web 用户应该拥有的任何其他权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.