![](/img/trans.png)
[英]AWS Cognito: “Unauthenticated access is not supported for this identity pool.”
[英]Unauthenticated access is not supported for this identity pool with user pool
我有一個Cognito用戶池,可以通過一個應用程序注冊/登錄我的用戶,然后使用Cognito身份提供身份驗證。 我已禁用未經身份驗證的用戶。 用戶注冊后,將在池中創建該用戶。 當他登錄時,將在身份池中創建該身份,並且我可以看到該身份已鏈接到用戶池(鏈接登錄)。 但是,當用戶嘗試訪問AWS資源(Dynamo,Lambda函數等)時,調用將返回“此身份池不支持未經身份驗證的訪問” 。 但是,我可以獲取用戶詳細信息和標識ID,這是在標識池中創建的標識。
這是我使用的代碼:
func cognitoUserPoolInit(window:UIWindow, debugLogFiles: DebugLogFiles) {
self.window = window
//Configure Cognito Identity User Pool. Edit ConstantAWS to change pool
let serviceConfiguration = AWSServiceConfiguration(region: K.COGNITO_REGIONTYPE, credentialsProvider: nil)
let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: K.COGNITO_USER_POOL_APP_CLIENT_ID, clientSecret: K.COGNITO_USER_POOL_APP_CLIENT_SECRET, poolId: K.COGNITO_USER_POOL_ID)
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPoolWithConfiguration(serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "UserPool")
self.pool = AWSCognitoIdentityUserPool(forKey: "UserPool")
self.pool!.delegate = self
self.cognitoIdentityUser = self.pool!.currentUser()
}
func getCognitoUserPoolUserId() {
self.cognitoIdentityUser!.getDetails().continueWithBlock() { (task) in
dispatch_async(dispatch_get_main_queue()) {
self.needtoGetCognitoUserId = false
if task.error != nil { // some sort of error
let alert = UIAlertController(title: "", message: task.error?.userInfo["message"] as? String, preferredStyle: UIAlertControllerStyle.Alert)
alert.addAction(UIAlertAction(title: "Click", style: UIAlertActionStyle.Default, handler: nil))
NSLog("Domain: " + (task.error?.domain)! + " Code: \(task.error?.code)")
if task.error?.code == NSURLErrorNotConnectedToInternet {
self.lastError = (task.error?.code)!
//no internet connection. Fire a timer to get our credential as soon as network is back
let internetOfflineTimer:NSTimer = NSTimer.scheduledTimerWithTimeInterval(10.0, target: self, selector: #selector(UserPool.internetOffline), userInfo: nil, repeats: false)
dispatch_async(dispatch_get_main_queue(), {() -> Void in
NSRunLoop.mainRunLoop().addTimer(internetOfflineTimer, forMode: NSDefaultRunLoopMode)
})
} else {
if task.error?.userInfo["message"] != nil {
NSLog(task.error?.userInfo["message"] as! String)
}
}
} else {
// I got no error
// i got the username earlier - use it
self.lastError = 0
if let response: AWSCognitoIdentityUserGetDetailsResponse = task.result as? AWSCognitoIdentityUserGetDetailsResponse {
var sub: String?
for attribute in response.userAttributes! {
if attribute.name == "sub" {
sub = attribute.value
NSLog("sub:" + sub!)
break;
}
}
//if the user Id, then go ahead and get the dynamoDB table
if sub != nil {
self.cognitoUserPoolUserId = sub
self.getCognitoIdentity()
} else {
NSLog("UserId not found in response")
}
}
}
}
return nil
}
}
func getCognitoIdentity() -> Bool {
// Initialize the Amazon Cognito credentials provider
//get pool id from plist (Federated Identieis pool not User pool)
var myDict: NSDictionary?
var identityPoolID: String?
var region: String?
//PoolId points to TestIDPool in the Federated Identitied/West region for test purpose
if let path = NSBundle.mainBundle().pathForResource("Info", ofType: "plist") {
myDict = NSDictionary(contentsOfFile: path)
identityPoolID = myDict!.objectForKey("AWS")!.objectForKey("CredentialsProvider")!.objectForKey("CognitoIdentity")!.objectForKey("Default")!.objectForKey("PoolId")! as? String;
region = myDict!.objectForKey("AWS")!.objectForKey("CredentialsProvider")!.objectForKey("CognitoIdentity")!.objectForKey("Default")!.objectForKey("Region") as? String;
} else {
return false
}
self.credentialsProvider = AWSCognitoCredentialsProvider(regionType: region!.aws_regionTypeValue(), identityPoolId: identityPoolID!, identityProviderManager:self.pool)
AWSServiceManager.defaultServiceManager().defaultServiceConfiguration = AWSServiceConfiguration(region: .USWest2, credentialsProvider: self.credentialsProvider)
transferManager = AWSS3TransferManager.defaultS3TransferManager()
// Retrieve your Amazon Cognito ID
self.credentialsProvider!.getIdentityId().continueWithBlock { (task: AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("Error: " + task.error!.localizedDescription)
}
else {
// the task result will contain the identity id
print("cognitoId: " + self.credentialsProvider!.identityId!)
//At this point we get the identity to query the database
self.queryLatestItem()
}
return nil
}
return true
}
func queryLatestItem() {
let dynamoDBObjectMapper = AWSDynamoDBObjectMapper.defaultDynamoDBObjectMapper()
let queryExpression = AWSDynamoDBQueryExpression()
queryExpression.scanIndexForward = false
queryExpression.limit = 1
queryExpression.keyConditionExpression = "userId = :UID"
queryExpression.expressionAttributeValues = [":UID" : (self.cognitoUserPoolUserId)!]
dynamoDBObjectMapper .query(StatisticsDB.self, expression: queryExpression) .continueWithExecutor(AWSExecutor.mainThreadExecutor(), withBlock: { (task:AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("Error: \(task.error)") --> this is where i get the unauthenticated error.....
...
cognitoUserPoolInit()
從的appDelegate和稱為getCognitoUserPoolUserId()
當用戶到達需要DynamoDB數據的UI。
如果我在聯合池中選擇“啟用對未經身份驗證的身份的訪問”,則可以正常工作。
另外,我有一個Web應用程序,可以登錄,正確進行身份驗證並可以毫無問題地訪問AWS服務。 我也是,我的AWS /角色配置應該很好,並且應用程序端可能發生了問題。
我不明白如何獲取用戶詳細信息和正確的身份ID(從print("cognitoId: " + self.credentialsProvider!.identityId!)
)並獲得未經身份驗證的錯誤。
再次重新啟動該應用程序會給出稍微不同的錯誤:
{
Connection = "keep-alive";
"Content-Length" = 129;
"Content-Type" = "application/x-amz-json-1.1";
Date = "Sun, 29 Jan 2017 20:04:06 GMT";
"x-amzn-ErrorMessage" = "Access to Identity 'us-west-2:714eccXXXa5-42d8-8b29-5e2XXXXXXX' is forbidden.";
"x-amzn-ErrorType" = "NotAuthorizedException:";
"x-amzn-RequestId" = "16fc81c2-e65e-11e6-9643-756bf858abb7";
}
為我使用的身份驗證添加了角色權限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*",
"dynamodb:*",
"lambda:*",
"s3:*"
],
"Resource": [
"*"
]
}
]
}
和信任關系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-west-2:7cXXXX5f-b91e-4fc9-a72c-6f91XXXXXXX"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
我找到了根本原因。 以下行將重新初始化先前設置的服務配置:
let dynamoDBObjectMapper = AWSDynamoDBObjectMapper.defaultDynamoDBObjectMapper()
因此,我用以下內容替換了前一行:
let objectMapperConfiguration = AWSDynamoDBObjectMapperConfiguration()
serviceConfig = AWSServiceConfiguration(region: .USWest2, credentialsProvider: self.credentialsProvider)
AWSDynamoDBObjectMapper.registerDynamoDBObjectMapperWithConfiguration(serviceConfig!, objectMapperConfiguration: objectMapperConfiguration, forKey: "USWest2DynamoDBObjectMapper")
let dynamoDBObjectMapper = AWSDynamoDBObjectMapper(forKey: "USWest2DynamoDBObjectMapper")
請參閱“使用Amazon Cognito配置文件中的AWS憑證” http://docs.aws.amazon.com/amazondynamodb/latest/gettingstartedguide/GettingStarted.Js.Summary.html在該示例中,它們為該類型的未授權身份創建未經身份驗證的角色訪問。 希望對您有幫助。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.