cognito - 禁止访问身份
[英]cognito - Access to Identity is forbidden
原文
2014-11-27 08:04:26
2
3
ios/
amazon-web-services/
amazon-s3/
amazon-cognito/
amazon-mobile-analytics
问题描述
我试图通过Facebook登录后了解亚马逊认知和尝试S3文件夹的列表内容。 脸书登录工作正常。 当我点击测试按钮(cmdTestS3Tapped)时,它会抛出以下错误。
我从Amazon amazon提供的项目中将AmazonClientManager.h,AmazonClientManager.m和Constants.h包含在项目中。 常数以belllow的形式给出。 任何人都可以帮我解决这个问题。
#define AWSAccountID @"MyAccountID"
#define CognitoPoolID @"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
#define CognitoRoleAuth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"
#define CognitoRoleUnauth @"arn:aws:iam::MyAccountID:role/Cognito_iOSTestPoolAuth_DefaultRole"
这是角色--Cognito_iOSTestPoolAuth_DefaultRole
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}]
}
这是信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
这是我正在使用的代码
- (IBAction)cmdLoginWithFB:(id)sender {
[[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:YES];
[self disableUI];
[[AmazonClientManager sharedInstance] loginFromView:self.view withCompletionHandler:^(NSError *error) {
dispatch_async(dispatch_get_main_queue(), ^{
[self refreshUI];
});
}];
}
-(void)refreshUI {
[[UIApplication sharedApplication] setNetworkActivityIndicatorVisible:NO];
//self.browseDataButton.enabled = YES;
self.cmdLoginWithFB.enabled = YES;
if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
self.cmdLoginWithFB.titleLabel.text = @"Link";
NSLog(@"-----------LOGED IN -------------->");
}
else {
self.cmdLoginWithFB.titleLabel.text = @"Login";
NSLog(@"-----------NOT LOGED IN -------------->");
}
self.cmdLogoutWipe.enabled = [[AmazonClientManager sharedInstance] isLoggedIn];
}
- (IBAction)cmdTestS3Tapped:(id)sender {
if ([[AmazonClientManager sharedInstance] isLoggedIn]) {
NSLog(@"-----------LOGED IN -------------->");
[self testListBucket];
}
else {
NSLog(@"-----------NOT LOGED IN -------------->");
}
}
- (void)testListBucket {
AWSS3GetObjectRequest *getObjectRequest = [[AWSS3GetObjectRequest alloc] init];
getObjectRequest.key = @"image1.jpg";
getObjectRequest.bucket = @"multix-test";
NSLog(@"============================================>");
//default service has been configured previously
//AWSS3 *s3 = [[AWSS3 new] initWithConfiguration:[AWSServiceManager defaultServiceManager].defaultServiceConfiguration];
AWSS3 *s3 = [AWSS3 defaultS3];
[[s3 getObject:getObjectRequest] continueWithBlock:^id(BFTask *task) {
if(task.error)
{
NSLog(@"Error: %@",task.error);
}
else
{
NSLog(@"Got File");
NSData *data = [task.result body];
NSString *urlString = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
NSURL *url = [[NSURL alloc] initWithString:urlString];
if ([[UIApplication sharedApplication] canOpenURL:url]) {
[[UIApplication sharedApplication] openURL:url];
}
}
return nil;
}];
NSLog(@"============================================>");
}
错误
2014-11-26 20:58:24.048 FBLoginTest[2647:83767] initializing clients...
2014-11-26 20:58:24.055 FBLoginTest[2647:83767] -----------LOGED IN -------------->
2014-11-26 20:58:33.542 FBLoginTest[2647:83767] -----------LOGED IN -------------->
2014-11-26 20:58:33.542 FBLoginTest[2647:83767] ============================================>
2014-11-26 20:58:33.551 FBLoginTest[2647:83767] ============================================>
2014-11-26 20:58:33.554 FBLoginTest[2647:88515] AWSiOSSDKv2 [Verbose] AWSURLRequestSerialization.m line:110 | -[AWSJSONRequestSerializer serializeRequest:headers:parameters:] | Request body: [{"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}]
2014-11-26 20:58:34.870 FBLoginTest[2647:88605] AWSiOSSDKv2 [Debug] AWSURLResponseSerialization.m line:85 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response header: [{
"Content-Length" = 129;
"Content-Type" = "application/x-amz-json-1.1";
Date = "Wed, 26 Nov 2014 16:58:34 GMT";
nnCoection = close;
"x-amzn-RequestId" = "7558584c-758d-11e4-a92d-11020f90ea0e";
}]
2014-11-26 20:58:34.871 FBLoginTest[2647:88605] AWSiOSSDKv2 [Verbose] AWSURLResponseSerialization.m line:90 | -[AWSJSONResponseSerializer responseObjectForResponse:originalRequest:currentRequest:data:error:] | Response body: [{"__type":"NotAuthorizedException","message":"Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSIdentityProvider.m line:212 | __42-[AWSBasicCognitoIdentityProvider refresh]_block_invoke_2 | GetOpenIdToken failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] AWSiOSSDKv2 [Error] AWSCredentialsProvider.m line:433 | __40-[AWSCognitoCredentialsProvider refresh]_block_invoke293 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}]
2014-11-26 20:58:34.873 FBLoginTest[2647:88605] Error: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)" UserInfo=0x7fd042491650 {__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden.}
3 个解决方案
解决方案1
3 2014-11-27 08:35:41
我认为信任关系是不正确的。 它应该是
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
因为您的用户已通过Facebook验证。 您提供的信任关系适用于未经身份验证的用户。
有关Cognito,角色和信任关系的更多详细信息,请参阅Bob的三部分博客
第1部分: http : //mobile.awsblog.com/post/Tx2UQN4KWI6GDJL/Understanding-Amazon-Cognito-Authentication
第2部分: http : //mobile.awsblog.com/post/Tx2FL1QAPDE0UAH/Understanding-Amazon-Cognito-Authentication-Part-2-Developer-Authenticated-Ident
第3部分: http : //mobile.awsblog.com/post/Tx1OSMBRHZVM9V0/Understanding-Amazon-Cognito-Authentication-Part-3-Roles-and-Policies
解决方案2
3 2014-11-27 15:14:28
“禁止访问身份”错误通常是由于无法在凭据提供程序中包含来自登录提供程序(FB)的令牌。
您没有包含处理FB登录的代码,但我确保您在AWSCognitoCredentials提供程序上正确设置令牌并将该提供程序设置为默认值。
Sebastien的答案仍然很重要,因为如果您使用不正确的角色,您可能会在以后遇到STS错误。
解决方案3
1 已采纳 2014-11-28 10:10:43
谢谢Bob&Sebastien,
问题是。 我忘了把以下代码放在viewdidload中
[[AmazonClientManager sharedInstance] resumeSessionWithCompletionHandler:^(NSError *error) {
dispatch_async(dispatch_get_main_queue(), ^{
[self refreshUI];
});
}];
AWS Cognito:“此身份池不支持未经身份验证的访问权限。”
[英]AWS Cognito: “Unauthenticated access is not supported for this identity pool.”
AWS / iOS / Cognito:此身份池不支持未经身份验证的访问
[英]AWS / iOS / Cognito: unauthenticated access is not supported for this identity pool
iOS 应用程序:如何访问其他用户保存在 cognito identity id 文件夹下的 S3 对象
[英]iOS app: How to access S3 object saved under cognito identity id folder by another user
如何将Cognito用户池与Cognito联合身份池集成
[英]How to integrate Cognito User Pools with Cognito Federated Identity Pools
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
带有iOS的Amazon Cognito:禁止访问身份
AWS Cognito:“此身份池不支持未经身份验证的访问权限。”
AWS / iOS / Cognito:此身份池不支持未经身份验证的访问
AWS Cognito Identity Null
iOS 应用程序:如何访问其他用户保存在 cognito identity id 文件夹下的 S3 对象
亚马逊认知和身份池问题
如何将Cognito用户池与Cognito联合身份池集成
Amazon Cognito开发人员使用iOS SDK验证了身份
使用Amazon Cognito身份用户池
AWS Cognito联合身份池-身份验证角色
相关标签