使用 CloudFormation 为身份池定义 IAM 角色以访问 s3 存储桶
[英]Defining IAM Roles for Identity Pool with CloudFormation to access s3 bucket
原文
2020-05-07 18:36:44
7
1
amazon-web-services/
amazon-s3/
amazon-cloudformation/
amazon-cognito/
aws-userpools
问题描述
我正在尝试为使用 Cloud Formation 连接到用户池的身份池定义授权/未授权角色。 我正在使用这些说明: https://docs.amplify.aws/lib/storage/getting-started/q/platform/js#using-amazon-s3
但到目前为止,我还没有成功。 当 UI 使用身份池 ID 调用 Amplify.configure 时,我收到“无效的身份池配置。检查为此池分配的 IAM 角色。”
这就是我所拥有的:
MyCognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
...
MyCognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref MyCognitoUserPool
GenerateSecret: false
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
CognitoIdentityProviders:
- ClientId: !Ref MyCognitoUserPoolClient
ProviderName: !GetAtt MyCognitoUserPool.ProviderName
MyIdentityPoolAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated
Policies:
- PolicyName: identity-pool-auth-cognito-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-identity:*
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-auth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:DeleteObject
- s3:GetObject
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- Fn::Sub:
- '${documentBucket}/protected/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- Fn::Sub:
- '${documentBucket}/private/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- PolicyName: identity-pool-auth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
- 'private/${cognito-identity.amazonaws.com:sub}/'
- 'private/${cognito-identity.amazonaws.com:sub}/*'
MyIdentityPoolUnAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- unauthenticated
Policies:
- PolicyName: identity-pool-unauth-sync-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-unauth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::Sub:
- '${documentBucket}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
MyIdentityPoolRoleAtt:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref MyIdentityPool
Roles:
"authenticated": !GetAtt MyIdentityPoolAuthRole.Arn
"unauthenticated": !GetAtt MyIdentityPoolUnAuthRole.Arn
```
1 个解决方案
解决方案1
1 已采纳 2020-05-09 16:41:39
对我来说,您的 Auth 和 Unauth 角色的信任策略似乎存在一些问题:
首先,角色允许的Action应该是sts:AssumeRoleWithWebIdentity而不是sts:AssumeRole 。
-
AssumeRole为现有 IAM 用户提供额外的临时权限。 AssumeRole 需要现有的有效 IAM 用户凭证。 -
AssumeRoleWithWebIdentity向已通过某些 web 身份提供者(例如 Cognito 用户池或 Facebook 等)身份验证的应用用户提供临时凭据。
其次,您的信托政策的条件部分应如下所示:
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !Ref MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated # or unauthenticated
cognito-identity.amazonaws.com:aud部分限制了将此角色分配给作为特定身份池成员的用户,而您引用的是 S3 存储桶的 arn。
仅可访问特定S3存储桶的IAM组的AWS CloudFormation模板
[英]AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket
Kube.netes 服务帐户的跨帐户 IAM 角色 - s3 存储桶
[英]Cross account IAM roles for Kubernetes service account - s3 bucket
有没有办法使用 AWS Amplify 库 (JavaScript) 在没有认知用户池和身份池的情况下访问 s3 存储桶?
[英]Is there a way to use AWS Amplify library (JavaScript) to access s3 bucket without cognito user poool and identity pool?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
CloudFormation、S3 存储桶访问跨账户 IAM 角色
仅可访问特定S3存储桶的IAM组的AWS CloudFormation模板
PySpark 使用 IAM 角色访问 S3
使用cloudformation更新S3存储桶的IAM策略
CloudFormation Lambda S3存储桶访问被拒绝
Kube.netes 服务帐户的跨帐户 IAM 角色 - s3 存储桶
Amazon S3 IAM用户无法访问S3存储桶
有没有办法使用 AWS Amplify 库 (JavaScript) 在没有认知用户池和身份池的情况下访问 s3 存储桶?
Spark + S3 + IAM 角色
使用IAM角色限制对s3存储桶的访问
相关标签