如何为 Cognito 担任跨账户角色?
[英]How to Assume a Cross-Account Role for Cognito?
问题描述
- 我在 AWS 账户 acc-1 上有一个 Cognito 用户池,在 acc-2 上运行一个 Java 代码,它使用“adminInitiateAuth”进行身份验证,由于某些原因,我无法使用 clientInitiateAuth。
- 我在 acc-1 上创建了一个跨账户角色,由我在 acc-2 上的 Java 代码承担
问题:当我向 Cognito 发送身份验证请求时,如何代入该角色? 是否可以使用withRoleArn() ?
我看到了这个页面,它解释了如何“使用 API 网关控制台为 REST API 配置跨账户 Amazon Cognito 授权方”。 但这不是我想要做的。
我的代码:
protected AdminInitiateAuthRequest createInitialRequest(String username, String password) {
Map<String, String> authParams = new HashMap<>();
authParams.put("USERNAME", username);
authParams.put("PASSWORD", password);
return new AdminInitiateAuthRequest()
.withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH)
.withAuthParameters(authParams)
.withClientId(whoAmIService.getCognitoClientId())
.withUserPoolId(whoAmIService.getCognitoPoolId());
}
protected boolean isAuthenticatedByCognito(String username, String password) {
AWSCognitoIdentityProvider awsCognitoIDPClient = createCognitoIDPClient();
AdminInitiateAuthRequest authRequest = createInitialRequest(username, password);
try {
AdminInitiateAuthResult authResponse = awsCognitoIDPClient.adminInitiateAuth(authRequest);
AuthenticationResultType authenticationResultType = authResponse.getAuthenticationResult();
String cognitoAccessToken = authenticationResultType.getAccessToken();
whoAmIService.setCognitoAccessToken(cognitoAccessToken);
Map<String, String> challengeParams = authResponse.getChallengeParameters();
String cognitoUserIdForSrp = challengeParams.get("USER_ID_FOR_SRP");
String cognitoUserAttributes = challengeParams.get("userAttributes");
logger.debug("Cognito authenticated user ID: {} with user attributes: {}"
, cognitoUserIdForSrp, cognitoUserAttributes);
return true;
} catch (NotAuthorizedException nae) {
logger.error("Invalid Cognito username/password provided for {}", username);
return false;
} catch (AWSCognitoIdentityProviderException acipe) {
logger.error("Base exception for all service exceptions thrown by Amazon Cognito Identity Provider", acipe);
return false;
}
}
1 个解决方案
解决方案1
0 2020-05-20 23:11:09
我找到了如何使用 STS 来做到这一点。 更改此行:
AWSCognitoIdentityProvider awsCognitoIDPClient = createCognitoIDPClient();
到:
String roleARN= "YOUR_CROSS_ACCOUNT_ROLE_ARN";
String roleSessionName = "GIVE_A_SESSION_NAME";
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder
.standard()
.withCredentials(new ProfileCredentialsProvider())
.build();
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
sessionCredentials.getAccessKeyId(),
sessionCredentials.getSecretAccessKey(),
sessionCredentials.getSessionToken());
AWSCognitoIdentityProvider cognitoIPCB = AWSCognitoIdentityProviderClientBuilder
.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.build();
使用 Terraform 在 Route 53 中跨账户子域/托管区域委派
[英]Cross-account subdomain/hosted zone delegation in Route 53 with Terraform
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.