stackoom
  简体   繁体   中英

AccessDeniedException for the action that is allowed to a role by a policy on AWS timestream

 原文  2022-10-28 06:57:52       amazon-web-services/ amazon-cognito/ aws-sdk/ aws-sdk-js/ amazon-timestream

Question

I'm trying to read timestream data from web app for public use. I followed this tutorial from AWS to allow any user to see the data on web browser. After that, I followed this github issue since discovering endpoints was failing.

The problem I'm having now is that it returns these errors now.

POST https://query.timestream.us-west-2.amazonaws.com/ 403 (Forbidden)

Uncaught (in promise) AccessDeniedException: 
User: arn:aws:sts::<number here>:assumed-role/Cognito_izunumaUnauth_Role/CognitoIdentityCredentials 
is not authorized to perform: timestream:DescribeEndpoints because no session policy allows 
the timestream:DescribeEndpoints action

I have already attached a policy to Cognito_izunumaUnauth_Role to allow timestream:DescribeEndpoints and checked that it works on simulator on IAM, so I don't know what to do to resolve this error.

the code looks like this in my react app now.

import * as AWS from "@aws-sdk/client-timestream-query";
import { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
import {
  fromCognitoIdentityPool,
} from "@aws-sdk/credential-provider-cognito-identity";
import {useEffect} from 'react';

function App() {

  useEffect(()=>{
    (async () => {
      const endpointsQueryClient = new AWS.TimestreamQuery({ 
        region: "us-west-2",
        credentials: fromCognitoIdentityPool({
          client: new CognitoIdentityClient({ region: "us-west-2" }),
          identityPoolId: "<IDENTITY_POOL_ID>",
        })
      });
      const qClientResponse = await endpointsQueryClient.describeEndpoints({});
      console.log(qClientResponse);

      const queryClient = new AWS.TimestreamQuery({
        region: "us-west-2",
        credentials: fromCognitoIdentityPool({
          client: new CognitoIdentityClient({ region: "us-west-2" }),
          identityPoolId: "<IDENTITY_POOL_ID>",
        }),
        endpoint: `https://${qClientResponse.Endpoints[0].Address}`,
      });

      const QueryString = `SELECT * FROM solarpanel_test.solarpanel_test WHERE time between ago(30000m) and now() ORDER BY time DESC LIMIT 200`;
      console.log(await queryClient.query({ QueryString }));

    })()
  },[])

  return (
    <div className="App">
      <header className="App-header">
        <img src={logo} className="App-logo" alt="logo" />
        <p>
          Edit <code>src/App.js</code> and save to reload.
        </p>
        <a
          className="App-link"
          href="https://reactjs.org"
          target="_blank"
          rel="noopener noreferrer"
        >
          Learn React
        </a>
      </header>
    </div>
  );
}

export default App;

I'm new to AWS, so any suggestion would help.

2 answers

solution1
 0  2022-11-11 14:43:38

I understand your concern, aws has fine grain policies for each operation.
one for describe endpoint another for select then another for preparequery and so on...
you will also need to add SELECT Policy here.
After describe end point you are running select query. There are nearly 7 actions for read policy. while Describepolicies (describeEndpoint/ ListDatabases) are only to list database/tables but not to read data.

solution2
 0  2023-01-12 04:04:54

This is the exact issue that I encountered, I thought it is something about authorization, yeah it is quite right but, this error refers to your role, so we I use STSClient here, and send first and use that role credentials to use the other features of aws

const params = {
  RoleArn: "<role>",
  RoleSessionName: "<name>",
};
const clientRole = new STSClient({
  region: "us-west-2",
  credentials: aws_creds,
});
const roleCommand = new AssumeRoleCommand({
  RoleArn: "<role>",
  RoleSessionName: "<name>",
})
const role = await clientRole.send(roleCommand);

const role_creds = {
  accessKeyId: role.Credentials.AccessKeyId,
  secretAccessKey: role.Credentials.SecretAccessKey,
  sessionToken: role.Credentials.SessionToken,
};
const query = `SELECT * FROM db.table ORDER BY column DESC LIMIT 5`;

const timestreamQuery = new TimestreamQueryClient({
  region: "us-west-2",
  credentials: role_creds,
});
const queryCommand = new QueryCommand({QueryString: query})

// use it like `timestreamQuery.send(queryCommand, (err, data)=> { ... })`

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS timestream-write gets "An error occurred (AccessDeniedException) when calling the DescribeEndpoints operation: This operation is not allowed." AWS Admin Role Policy AWS Timestream DB - AWS IOT aws cli fails to return a role policy How to add AWS Timestream datasets to AWS QuickSight terraform managed_policy_arns issue with aws_iam_role AWS StateMachine AccessDeniedException in step: CleanUpOnError What is the meaning of aws_iam_role and aws_iam_role_policy? What is the relation between user, group, role, policy and AWS services? Siemens logo Shadows and AWS IoT Timestream problem
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM