使用 Cognito UnAuth 角色时的 IAM 权限问题
[英]IAM permission issue when using Cognito UnAuth role
问题描述
我正在制作一个简单的 React 应用程序来通过 DescribeDBInstances API 访问 RDS 数据。 我想允许公共访问,所以我使用 Cognito 并启用了未经身份验证的访问。
我将以下策略附加到提供的 UnAuth 角色,但在尝试使用来自 JavaScript (nodejs) 的 RDS API 时仍然出现以下错误:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
}
]
}
AccessDenied: User: arn:aws:sts::(account):assumed-role/Cognito_TestUnauth_Role/CognitoIdentityCredentials is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:us-east-1:(account):db:*
我编辑了我的帐户 ID。
还附加了此默认策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
}
]
}
这是我的调用代码:
import { RDSClient, DescribeDBInstancesCommand } from "@aws-sdk/client-rds";
import { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
import { fromCognitoIdentityPool } from "@aws-sdk/credential-provider-cognito-identity";
// see https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-rds/index.html
export default async function getDbInstances() {
const region = "us-east-1";
const client = new RDSClient({
region,
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region }),
identityPoolId: "(my identity pool ID)",
})
});
const command = new DescribeDBInstancesCommand({});
return await client.send(command).DBInstances;
}
我在这里有点疯狂,似乎一切都设置正确。 什么不见了?
1 个解决方案
解决方案1
0 已采纳 2021-06-01 12:39:10
我在 Cognito 的 IAM 角色文档中找到了答案: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html (参见“访问策略”部分)
建议 Cognito 使用增强型身份验证并默认启用,但由于它在后台使用 GetCredentialForIdentity API,因此无论 IAM 策略如何,访问都仅限于某些 AWS 服务(RDS 不是允许的服务)。 我没有看到任何方法可以覆盖此限制。
解决方案是切换到基本身份验证(您必须首先在 Cognito 身份池设置中启用它)。 这是我使用基本身份验证然后获取 RDS 实例的工作 nodejs 代码:
import { RDSClient, DescribeDBInstancesCommand } from "@aws-sdk/client-rds";
import {
CognitoIdentityClient,
GetIdCommand ,
GetOpenIdTokenCommand
} from "@aws-sdk/client-cognito-identity";
import { getDefaultRoleAssumerWithWebIdentity } from "@aws-sdk/client-sts";
import { fromWebToken } from "@aws-sdk/credential-provider-web-identity";
const region = "us-east-1";
const cognitoClient = new CognitoIdentityClient({ region })
// see https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-rds/index.html
export default async function getDbInstances() {
const { Token, IdentityId } = await getTokenUsingBasicFlow();
const client = new RDSClient({
region,
credentials: fromWebToken({
roleArn: "arn:aws:iam::(account id):role/Cognito_RDSDataAppPoolUnauth_Role",
webIdentityToken: Token,
roleSessionName: IdentityId.substring(IdentityId.indexOf(":") + 1),
roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity()
})
});
const command = new DescribeDBInstancesCommand({});
return (await client.send(command)).DBInstances;
}
async function getTokenUsingBasicFlow() {
const getIdCommand = new GetIdCommand({ IdentityPoolId: "us-east-1:(identity pool id)" });
const id = (await cognitoClient.send(getIdCommand)).IdentityId;
const getOpenIdTokenCommand = new GetOpenIdTokenCommand({ IdentityId: id });
return await cognitoClient.send(getOpenIdTokenCommand);
}
这是我编写实现所遵循的基本身份验证流程与增强的文档: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
使用AWS Node.JS SDK时是否需要缓存IAM角色凭证
[英]Do I need to cache the IAM role credentials when using the AWS Node.JS SDK
如何在不提供访问密钥和秘密密钥的情况下使用“ node-ses”发送原始电子邮件? 或使用IAM角色
[英]How to send raw email using “node-ses” without providing access key and secret key ? or by using IAM role
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.