[英]AccessDeniedException for the action that is allowed to a role by a policy on AWS timestream
我正在尝试从 web 应用程序读取时间流数据以供公众使用。 我遵循了 AWS 的本教程,以允许任何用户在 web 浏览器上查看数据。 之后,由于发现端点失败,我关注了这个 github 问题。
我现在遇到的问题是它现在返回这些错误。
POST https://query.timestream.us-west-2.amazonaws.com/ 403 (Forbidden)
Uncaught (in promise) AccessDeniedException:
User: arn:aws:sts::<number here>:assumed-role/Cognito_izunumaUnauth_Role/CognitoIdentityCredentials
is not authorized to perform: timestream:DescribeEndpoints because no session policy allows
the timestream:DescribeEndpoints action
我已经将策略附加到Cognito_izunumaUnauth_Role以允许 timestream timestream:DescribeEndpoints并检查它是否适用于 IAM 上的模拟器,所以我不知道如何解决此错误。
现在我的 React 应用程序中的代码看起来像这样。
import * as AWS from "@aws-sdk/client-timestream-query";
import { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
import {
fromCognitoIdentityPool,
} from "@aws-sdk/credential-provider-cognito-identity";
import {useEffect} from 'react';
function App() {
useEffect(()=>{
(async () => {
const endpointsQueryClient = new AWS.TimestreamQuery({
region: "us-west-2",
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: "us-west-2" }),
identityPoolId: "<IDENTITY_POOL_ID>",
})
});
const qClientResponse = await endpointsQueryClient.describeEndpoints({});
console.log(qClientResponse);
const queryClient = new AWS.TimestreamQuery({
region: "us-west-2",
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: "us-west-2" }),
identityPoolId: "<IDENTITY_POOL_ID>",
}),
endpoint: `https://${qClientResponse.Endpoints[0].Address}`,
});
const QueryString = `SELECT * FROM solarpanel_test.solarpanel_test WHERE time between ago(30000m) and now() ORDER BY time DESC LIMIT 200`;
console.log(await queryClient.query({ QueryString }));
})()
},[])
return (
<div className="App">
<header className="App-header">
<img src={logo} className="App-logo" alt="logo" />
<p>
Edit <code>src/App.js</code> and save to reload.
</p>
<a
className="App-link"
href="https://reactjs.org"
target="_blank"
rel="noopener noreferrer"
>
Learn React
</a>
</header>
</div>
);
}
export default App;
我是 AWS 的新手,所以任何建议都会有所帮助。
我理解您的担忧,aws 对每个操作都有细粒度的策略。
一个用于描述端点,另一个用于 select,然后另一个用于 preparequery 等等......
您还需要在此处添加 SELECT 策略。
在描述终点后,您正在运行 select 查询。 读取策略有近 7 个动作。 而 DescribePolicies (describeEndpoint/ ListDatabases) 只是列出数据库/表,而不是读取数据。
这是我遇到的确切问题,我认为这是关于授权的问题,是的,这是完全正确的,但是,这个错误是指你的角色,所以我们在这里使用 STSClient,首先发送并使用该角色凭据来使用另一个aws的特点
const params = {
RoleArn: "<role>",
RoleSessionName: "<name>",
};
const clientRole = new STSClient({
region: "us-west-2",
credentials: aws_creds,
});
const roleCommand = new AssumeRoleCommand({
RoleArn: "<role>",
RoleSessionName: "<name>",
})
const role = await clientRole.send(roleCommand);
const role_creds = {
accessKeyId: role.Credentials.AccessKeyId,
secretAccessKey: role.Credentials.SecretAccessKey,
sessionToken: role.Credentials.SessionToken,
};
const query = `SELECT * FROM db.table ORDER BY column DESC LIMIT 5`;
const timestreamQuery = new TimestreamQueryClient({
region: "us-west-2",
credentials: role_creds,
});
const queryCommand = new QueryCommand({QueryString: query})
// use it like `timestreamQuery.send(queryCommand, (err, data)=> { ... })`
AWS timestream-write 获取“调用 DescribeEndpoints 操作时发生错误 (AccessDeniedException):不允许执行此操作。”
[英]AWS timestream-write gets "An error occurred (AccessDeniedException) when calling the DescribeEndpoints operation: This operation is not allowed."
terraform managed_policy_arns 问题与 aws_iam_role
[英]terraform managed_policy_arns issue with aws_iam_role
AWS StateMachine AccessDeniedException 步骤:CleanUpOnError
[英]AWS StateMachine AccessDeniedException in step: CleanUpOnError
aws_iam_role 和aws_iam_role_policy 是什么意思?
[英]What is the meaning of aws_iam_role and aws_iam_role_policy?
用户、组、角色、策略和 AWS 服务之间的关系是什么?
[英]What is the relation between user, group, role, policy and AWS services?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.