[英]Not able to give a Cognito User access on a certain S3 bucket
我有一个用户池和一个身份池,我在身份池中为身份验证用户提供的角色具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket123",
"arn:aws:s3:::testbucket456",
"arn:aws:s3:::testbucket987"
]
}
]
}
我使用 Web Identity 创建了一个名为Role_testbucket456_User_X
的新角色,并添加了一个条件,其中cognito-identity.amazonaws.com:sub
是 stringEquals to 8e23d688-1f28-445c-8966-fdcb967c8e3c
,并附加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
然后我将具有子8e23d688-1f28-445c-8966-fdcb967c8e3c
的 Cognito 用户 Y 添加到名为testbucket456_Users
的 Cognito 用户池组
然后将角色Role_testbucket456_User_X
附加到这个组testbucket456_Users
我期望的是,除了具有子8e23d688-1f28-445c-8966-fdcb967c8e3c
的用户 Y 能够访问testbucket456
存储桶上的读/写之外,没有任何 Cognito 用户对任何 S3 存储桶具有读/写访问权限。 但不幸的是,这并没有奏效。
因此,我已将以下存储桶策略添加到testbucket456
存储桶中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
但这仍然没有用,每当我尝试调用此方法时,我仍然遇到访问被拒绝的问题:
const listObjectParams = {
Bucket: 'testbucket456',
};
s3.listObjects(listObjectParams, (err: any, data: any) => {
if (err) {
console.log(err);
return;
}
console.log(data);
console.log(`Successfully listed objects in `);
});
当我将testbucket456
存储桶的策略设置为
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
然后我可以使用 Cognito 用户访问(列出对象)存储桶,我认为问题出在存储桶的策略本身,特别是在Principal
字段中。
可能的问题
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
像下面这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket456"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
]
}
有人可以确认吗?
这个答案就是解决方案,我不得不更改赋予 Cognito 用户的默认角色
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.