AWS 时间流上的策略允许角色执行的操作的 AccessDeniedException
[英]AccessDeniedException for the action that is allowed to a role by a policy on AWS timestream
问题描述
I'm trying to read timestream data from web app for public use.
我正在尝试从 web 应用程序读取时间流数据以供公众使用。 I followed this tutorial from AWS to allow any user to see the data on web browser.我遵循了 AWS 的本教程,以允许任何用户在 web 浏览器上查看数据。 After that, I followed this github issue since discovering endpoints was failing.之后,由于发现端点失败,我关注了这个 github 问题。
The problem I'm having now is that it returns these errors now.我现在遇到的问题是它现在返回这些错误。
POST https://query.timestream.us-west-2.amazonaws.com/ 403 (Forbidden)
Uncaught (in promise) AccessDeniedException:
User: arn:aws:sts::<number here>:assumed-role/Cognito_izunumaUnauth_Role/CognitoIdentityCredentials
is not authorized to perform: timestream:DescribeEndpoints because no session policy allows
the timestream:DescribeEndpoints action
I have already attached a policy to Cognito_izunumaUnauth_Role to allow timestream:DescribeEndpoints and checked that it works on simulator on IAM, so I don't know what to do to resolve this error.我已经将策略附加到Cognito_izunumaUnauth_Role以允许 timestream timestream:DescribeEndpoints并检查它是否适用于 IAM 上的模拟器,所以我不知道如何解决此错误。
the code looks like this in my react app now.现在我的 React 应用程序中的代码看起来像这样。
import * as AWS from "@aws-sdk/client-timestream-query";
import { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
import {
fromCognitoIdentityPool,
} from "@aws-sdk/credential-provider-cognito-identity";
import {useEffect} from 'react';
function App() {
useEffect(()=>{
(async () => {
const endpointsQueryClient = new AWS.TimestreamQuery({
region: "us-west-2",
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: "us-west-2" }),
identityPoolId: "<IDENTITY_POOL_ID>",
})
});
const qClientResponse = await endpointsQueryClient.describeEndpoints({});
console.log(qClientResponse);
const queryClient = new AWS.TimestreamQuery({
region: "us-west-2",
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: "us-west-2" }),
identityPoolId: "<IDENTITY_POOL_ID>",
}),
endpoint: `https://${qClientResponse.Endpoints[0].Address}`,
});
const QueryString = `SELECT * FROM solarpanel_test.solarpanel_test WHERE time between ago(30000m) and now() ORDER BY time DESC LIMIT 200`;
console.log(await queryClient.query({ QueryString }));
})()
},[])
return (
<div className="App">
<header className="App-header">
<img src={logo} className="App-logo" alt="logo" />
<p>
Edit <code>src/App.js</code> and save to reload.
</p>
<a
className="App-link"
href="https://reactjs.org"
target="_blank"
rel="noopener noreferrer"
>
Learn React
</a>
</header>
</div>
);
}
export default App;
I'm new to AWS, so any suggestion would help.我是 AWS 的新手,所以任何建议都会有所帮助。
2 个解决方案
解决方案1
0 2022-11-11 14:43:38
I understand your concern, aws has fine grain policies for each operation.我理解您的担忧,aws 对每个操作都有细粒度的策略。
one for describe endpoint another for select then another for preparequery and so on...一个用于描述端点,另一个用于 select,然后另一个用于 preparequery 等等......
you will also need to add SELECT Policy here.您还需要在此处添加 SELECT 策略。
After describe end point you are running select query.在描述终点后,您正在运行 select 查询。 There are nearly 7 actions for read policy.读取策略有近 7 个动作。 while Describepolicies (describeEndpoint/ ListDatabases) are only to list database/tables but not to read data.而 DescribePolicies (describeEndpoint/ ListDatabases) 只是列出数据库/表,而不是读取数据。
解决方案2
0 2023-01-12 04:04:54
This is the exact issue that I encountered, I thought it is something about authorization, yeah it is quite right but, this error refers to your role, so we I use STSClient here, and send first and use that role credentials to use the other features of aws这是我遇到的确切问题,我认为这是关于授权的问题,是的,这是完全正确的,但是,这个错误是指你的角色,所以我们在这里使用 STSClient,首先发送并使用该角色凭据来使用另一个aws的特点
const params = {
RoleArn: "<role>",
RoleSessionName: "<name>",
};
const clientRole = new STSClient({
region: "us-west-2",
credentials: aws_creds,
});
const roleCommand = new AssumeRoleCommand({
RoleArn: "<role>",
RoleSessionName: "<name>",
})
const role = await clientRole.send(roleCommand);
const role_creds = {
accessKeyId: role.Credentials.AccessKeyId,
secretAccessKey: role.Credentials.SecretAccessKey,
sessionToken: role.Credentials.SessionToken,
};
const query = `SELECT * FROM db.table ORDER BY column DESC LIMIT 5`;
const timestreamQuery = new TimestreamQueryClient({
region: "us-west-2",
credentials: role_creds,
});
const queryCommand = new QueryCommand({QueryString: query})
// use it like `timestreamQuery.send(queryCommand, (err, data)=> { ... })`
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.