![](/img/trans.png)
[英]How do i pass the user credential to access s3 bucket once user is authenticated by cognito?
[英]How do I only allow authenticated user (using cognito) access to their own S3 bucket/key specifically?
我們的基本應用流程如下:
React app:用戶登錄--->使用cognito進行身份驗證->然后重定向到門戶網站,他們可以在其中將文件上傳到s3
s3中“文件夾”的結構方式如下:每個用戶的電子郵件在s3存儲桶中都有一個文件夾/密鑰(我們稱此存儲桶為“ testbucket”)。
因此,如果我的電子郵件是john@google.com,則它將如下所示:存儲桶-testbucket,密鑰-john@google.com
約翰只能上載到該文件夾。
現在我的問題是,現在我正在檢查“密鑰”是否存在,如果沒有拒絕對s3的請求。 但是,在添加了KMS層之后,我想知道,在節點中發出請求時是否傳遞kms“主密鑰”? 如果是這樣,我是否只是將密鑰保存在例如env變量中,並在進行調用時將其傳遞給它?
此外,我是否可以在策略中添加一些內容,以將訪問權限與經過身份驗證的Cognito或用戶電子郵件聯系起來? 如果可以的話,我能舉個例子嗎? (如何實施示例政策)
編輯1:政策使用者
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mybucket" ], "Condition": { "StringLike": { "s3:prefix": [ "cognito/users/" ] } } }, { "Effect": "Deny", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListObject" ], "Resource": [ "arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}/*" ] } ] }
編輯2:修改后的政策
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mybucket" ], "Condition": { "StringLike": { "s3:prefix": [ "cognito/users/" ] } } }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::mybucket/cognito/users/${cognito-identity.amazonaws.com:sub}/*" ] } ] }
然后我像這樣進行api調用:
var authenticate = (val) => { var userData = { Username: val.user, // your username here Pool: userPool }; var authenticationData = { Username: val.user, // your username here Password: val.pass, // your password here }; var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails(authenticationData); var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData); cognitoUser.authenticateUser(authenticationDetails, { onSuccess: function(result) { var accessToken = result.getAccessToken().getJwtToken(); var idtoken = result.getIdToken().getJwtToken(); var params = { IdentityPoolId: 'ca-central-1:****', Logins: { 'cognito-idp.ca-central-1.amazonaws.com/****': result.getIdToken().getJwtToken() } } var cognitoidentity = new AWS.CognitoIdentity(); cognitoidentity.getId(params, function(err, data) { if (err) console.log(err); else { var id = data.IdentityId; console.log(id); var params = { Bucket: 'mybucket', Key: `cognito/users/${id}/image.jpg` }; s3.getObject(params, function(err, data) { if (err) console.log(err, err.stack); else console.log(data); }); } }); }, onFailure: function(err) { console.log("---------") console.log(`this is ${JSON.stringify(err)}`); } }); }
最新編輯:
cognitoUser.authenticateUser(authenticationDetails, { onSuccess: function(result) { var accessToken = result.getAccessToken().getJwtToken(); var idtoken = result.getIdToken().getJwtToken(); var params = { IdentityPoolId: 'ca-central-1:***', Logins: { 'cognito-idp.ca-central-1.amazonaws.com/***': result.getIdToken().getJwtToken() } } var cognitoidentity = new AWS.CognitoIdentity(); cognitoidentity.getId(params, function(err, data) { if (err) console.log(err); else { // console.log(data); var id = data.IdentityId; console.log(id); var params = { IdentityId: `${id}`, Logins: { 'cognito-idp.ca-central-1.amazonaws.com/***': result.getIdToken().getJwtToken() } }; cognitoidentity.getCredentialsForIdentity(params, function(err, data) { if (err) console.log(err, err.stack); // an error occurred else { // console.log(data); // successful response var creds = new AWS.Credentials({ accessKeyId: `${data.Credentials.AccessKeyId}`, secretAccessKey: `${data.Credentials.secretAccessKey}`, sessionToken: `${data.Credentials.SessionToken}` }) var s3 = new AWS.S3(creds); console.log(creds); var params = {}; s3.listBuckets(params, function(err, data) { if (err) console.log(err, err.stack); else console.log(data); }); } }); } });
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.