stackoom
  简体   繁体   中英

Defining IAM Roles for Identity Pool with CloudFormation to access s3 bucket

 原文  2020-05-07 18:36:44       amazon-web-services/ amazon-s3/ amazon-cloudformation/ amazon-cognito/ aws-userpools

Question

I'm trying to define authorized/unauthorized roles for Identity Pool connected to User Pool with Cloud Formation. I'm using these instructions: https://docs.amplify.aws/lib/storage/getting-started/q/platform/js#using-amazon-s3

But so far I have not succeeded with it. When UI calls Amplify.configure with the identity pool id, I get "Invalid identity pool configuration. Check assigned IAM roles for this pool."

This is what I have:

  MyCognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      ...

  MyCognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      UserPoolId: !Ref MyCognitoUserPool
      GenerateSecret: false

  MyIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties: 
      CognitoIdentityProviders: 
        - ClientId: !Ref MyCognitoUserPoolClient
          ProviderName: !GetAtt MyCognitoUserPool.ProviderName      

  MyIdentityPoolAuthRole: 
    Type: AWS::IAM::Role
    Properties: 
      AssumeRolePolicyDocument: 
        Version: '2012-10-17'
        Statement:                   
          - Effect: Allow
            Principal: 
              Federated:
                - cognito-identity.amazonaws.com                   
            Action: 
              - sts:AssumeRole
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud:
                  - !ImportValue mydevDocumentBucketArn
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr:
                  - authenticated
      Policies:              
        - PolicyName: identity-pool-auth-cognito-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - cognito-identity:*
                  - cognito-sync:*
                Resource: '*'     
        - PolicyName: identity-pool-auth-public-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:DeleteObject
                  - s3:GetObject
                  - s3:PutObject
                Resource: 
                  - Fn::Sub:
                    - '${documentBucket}/public/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
                  - Fn::Sub:
                    - '${documentBucket}/protected/${identitySub}/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
                      identitySub: ${cognito-identity.amazonaws.com:sub}
                  - Fn::Sub:
                    - '${documentBucket}/private/${identitySub}/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
                      identitySub: ${cognito-identity.amazonaws.com:sub}
        - PolicyName: identity-pool-auth-uploads-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:PutObject
                Resource: 
                  - Fn::Sub:
                    - '${documentBucket}/uploads/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
        - PolicyName: identity-pool-auth-protected-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:GetObject
                Resource: 
                  - Fn::Sub:
                    - '${documentBucket}/protected/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
        - PolicyName: identity-pool-auth-list-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:ListBucket
                Resource: !ImportValue mydevDocumentBucketArn
                Condition: 
                  StringLike:
                      s3:prefix: 
                        - 'public/'
                        - 'public/*'
                        - 'protected/'
                        - 'protected/*'
                        - 'private/${cognito-identity.amazonaws.com:sub}/'
                        - 'private/${cognito-identity.amazonaws.com:sub}/*'

  MyIdentityPoolUnAuthRole:
    Type: AWS::IAM::Role
    Properties: 
      AssumeRolePolicyDocument: 
        Version: '2012-10-17'
        Statement:                
          - Effect: Allow
            Principal: 
              Federated:
                - cognito-identity.amazonaws.com               
            Action: 
              - sts:AssumeRole
            Condition:
              StringEquals:
                cognito-identity.amazonaws.com:aud:
                  - !ImportValue mydevDocumentBucketArn
              ForAnyValue:StringLike:
                cognito-identity.amazonaws.com:amr:
                  - unauthenticated
      Policies:              
        - PolicyName: identity-pool-unauth-sync-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - cognito-sync:*
                Resource: '*'  
        - PolicyName: identity-pool-unauth-public-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:GetObject
                  - s3:PutObject
                  - s3:DeleteObject
                Resource: 
                  - Fn::Sub:
                    - '${documentBucket}/public/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
        - PolicyName: identity-pool-unauth-uploads-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:PutObject
                Resource: 
                  - Fn::Sub:
                    - '${documentBucket}/uploads/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
        - PolicyName: identity-pool-unauth-protected-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:GetObject
                Resource: 
                  - Fn::Sub:
                    - '${documentBucket}/protected/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
        - PolicyName: identity-pool-unauth-list-policy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement: 
              - Effect: Allow 
                Action: 
                  - s3:ListBucket
                Resource: 
                  - Fn::Sub:
                    - '${documentBucket}/*'
                    - documentBucket: !ImportValue mydevDocumentBucketArn
                Condition:
                  StringLike:
                    s3:prefix:
                        - 'public/'
                        - 'public/*'
                        - 'protected/'
                        - 'protected/*'

  MyIdentityPoolRoleAtt:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties: 
      IdentityPoolId: !Ref MyIdentityPool
      Roles: 
        "authenticated": !GetAtt MyIdentityPoolAuthRole.Arn
        "unauthenticated": !GetAtt MyIdentityPoolUnAuthRole.Arn
      ```

1 answers

solution1
 1 ACCPTED  2020-05-09 16:41:39

To me there looks to be a couple of issues with the trust policies of your Auth and Unauth roles:

Firstly, the Action that the roles allow should be sts:AssumeRoleWithWebIdentity and not sts:AssumeRole .

  • AssumeRole gives additional temporary permissions to existing IAM users. AssumeRole requires existing valid IAM user credentials.
  • AssumeRoleWithWebIdentity gives temporary credentials to app users that have been authenticated by some web identity provider (such as Cognito User Pools, or Facebook, etc).

Secondly, the condition part of your trust policy should read as follows:

Condition:
  StringEquals:
    cognito-identity.amazonaws.com:aud:
      - !Ref MyIdentityPool
  ForAnyValue:StringLike:
    cognito-identity.amazonaws.com:amr:
      - authenticated # or unauthenticated

The cognito-identity.amazonaws.com:aud part limits the assignment of this role to users who are members of your specific identity pool, whereas you were referencing the arn of your S3 bucket.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CloudFormation, S3 bucket access to cross-acccount IAM role AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket PySpark using IAM roles to access S3 Update IAM policy for S3 bucket using cloudformation CloudFormation Lambda S3 bucket access denied Cross account IAM roles for Kubernetes service account - s3 bucket Amazon S3 IAM User can' access S3 bucket Is there a way to use AWS Amplify library (JavaScript) to access s3 bucket without cognito user poool and identity pool? Spark + S3 + IAM Roles Limiting Access to s3 Buckets using IAM roles
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM