[英]How to call AWS API Gateway Endpoint with Cognito Id (+configuration)?
我想使用generated JavaScript API SDK調用受AWS_IAM保護的AWS API Gateway Endpoint 。
我有一個Cognito UserPool和一個Cognito Identity Pool 。 兩者都通過ClientId正確同步。
我使用此代碼Sign in並獲得Cognito Identity
AWS.config.region = 'us-east-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});
AWSCognito.config.region = 'us-east-1';
AWSCognito.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXXXXXX' // your identity pool id here
});
var poolData = {
UserPoolId: 'us-east-1_XXXXXXXX',
ClientId: 'XXXXXXXXXXXXXXXXXXXXXXXX'
};
var userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(poolData);
var authenticationData = {
Username: 'user',
Password: '12345678',
};
var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
var userData = {
Username: 'user',
Pool: userPool
};
var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {
console.log('access token + ' + result.getAccessToken().getJwtToken());
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:XXXXXXXXXXXXXXXXXXXX',
IdentityId: AWS.config.credentials.identityId,
Logins: {
'cognito-idp.us-east-1.amazonaws.com/us-east-1_XXXXXX': result.idToken.jwtToken
}
});
AWS.config.credentials.get(function (err) {
// now I'm using authenticated credentials
if(err)
{
console.log('error in autheticatig AWS'+err);
}
else
{
console.log(AWS.config.credentials.identityId);
}
});
},
onFailure: function (err) {
alert(err);
}
});
所有這些都成功了,我現在擁有authorized Cognito Identity 。
現在,我嘗試調用API Gateway Endpoint來執行它指向的Lambda Function 。
var apigClient = apigClientFactory.newClient({
accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY',
secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY',
sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1
});
var params = {
// This is where any modeled request parameters should be added.
// The key is the parameter name, as it is defined in the API in API Gateway.
};
var body = {
// This is where you define the body of the request,
query: '{person {firstName lastName}}'
};
var additionalParams = {
// If there are any unmodeled query parameters or headers that must be
// sent with the request, add them here.
headers: {},
queryParams: {}
};
apigClient.graphqlPost(params, body, additionalParams)
.then(function (result) {
// Add success callback code here.
console.log(result);
}).catch(function (result) {
// Add error callback code here.
console.log(result);
});
但是不幸的是,這失敗了。 OPTIONS請求以200成功,但POST失敗403 。
我很確定這里沒有CORS問題。
我很確定問題與IAM Roles和AWS Resource Configurations 。
我的問題基本上是,請您提供給我所有必要的必要的AWS Resource Configurations和IAM Roles嗎?
我擁有的資源是
但是我不知道如何正確配置這些資源才能使其正常工作。
謝謝
Cognito身份的角色具有哪些訪問權限? 確保它有權在您的API上執行execute-api:Invoke 。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:<account>:<rest-api>/*/POST/graphql"
]
}
]
}
您可以從Web控制台的“方法設置”頁面獲取確切的資源ARN。
即使遵循所有步驟,我仍然遇到相同的錯誤。 原因是我在初始化apigClient時錯過了“ sessionToken”。
var apigClient = apigClientFactory.newClient({
accessKey: AWS.config.credentials.accessKeyId, //'ACCESS_KEY',
secretKey: AWS.config.credentials.secretAccessKey, //'SECRET_KEY',
sessionToken: AWS.config.credentials.sessionToken, // 'SESSION_TOKEN', //OPTIONAL: If you are using temporary credentials you must include the session token
region: 'us-east-1' // OPTIONAL: The region where the API is deployed, by default this parameter is set to us-east-1 });
//可選:如果您使用的是臨時憑據,則必須包含會話令牌 -並不是真正的可選
如何通過 Cognito 用戶 ID 限制訪問 AWS API 網關端點
[英]How to restricted to access AWS API Gateway endpoint by Cognito user id
如何在AWS API Gateway請求的后端中獲取Cognito身份ID?
[英]How to get Cognito Identity Id in backend that is requested by AWS API Gateway?
如何通過 AWS API 網關將多個 Cognito 用戶池用於單個端點?
[英]How to use multiple Cognito user pools for a single endpoint with AWS API Gateway?
AWS Cognito + API 網關 + VPC 鏈接:如何提取 cognito 用戶名?
[英]AWS Cognito + API Gateway + VPC Link: How to extract cognito username?
使用來自 Android 的 Cognito 憑證調用 AWS API Gateway 上的 API
[英]Call an API on AWS API Gateway using Cognito Credentials from Android
如何為使用 cognito 登錄的用戶和未登錄的用戶授權 API Gateway Endpoint
[英]How to authorize an API Gateway Endpoint for users logged in with cognito and users not logged in
如何在AWS Lambda中驗證Cognito訪問令牌以允許網關API調用?
[英]How to get validate Cognito Access Token in AWS Lambda to allow Gateway API call?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.