使用 CloudFormation 為身份池定義 IAM 角色以訪問 s3 存儲桶
[英]Defining IAM Roles for Identity Pool with CloudFormation to access s3 bucket
原文
2020-05-07 18:36:44
3
1
amazon-web-services/
amazon-s3/
amazon-cloudformation/
amazon-cognito/
aws-userpools
問題描述
我正在嘗試為使用 Cloud Formation 連接到用戶池的身份池定義授權/未授權角色。 我正在使用這些說明: https://docs.amplify.aws/lib/storage/getting-started/q/platform/js#using-amazon-s3
但到目前為止,我還沒有成功。 當 UI 使用身份池 ID 調用 Amplify.configure 時,我收到“無效的身份池配置。檢查為此池分配的 IAM 角色。”
這就是我所擁有的:
MyCognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
...
MyCognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
UserPoolId: !Ref MyCognitoUserPool
GenerateSecret: false
MyIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
CognitoIdentityProviders:
- ClientId: !Ref MyCognitoUserPoolClient
ProviderName: !GetAtt MyCognitoUserPool.ProviderName
MyIdentityPoolAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated
Policies:
- PolicyName: identity-pool-auth-cognito-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-identity:*
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-auth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:DeleteObject
- s3:GetObject
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- Fn::Sub:
- '${documentBucket}/protected/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- Fn::Sub:
- '${documentBucket}/private/${identitySub}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
identitySub: ${cognito-identity.amazonaws.com:sub}
- PolicyName: identity-pool-auth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-auth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
- 'private/${cognito-identity.amazonaws.com:sub}/'
- 'private/${cognito-identity.amazonaws.com:sub}/*'
MyIdentityPoolUnAuthRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Federated:
- cognito-identity.amazonaws.com
Action:
- sts:AssumeRole
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !ImportValue mydevDocumentBucketArn
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- unauthenticated
Policies:
- PolicyName: identity-pool-unauth-sync-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- cognito-sync:*
Resource: '*'
- PolicyName: identity-pool-unauth-public-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:DeleteObject
Resource:
- Fn::Sub:
- '${documentBucket}/public/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-uploads-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Sub:
- '${documentBucket}/uploads/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-protected-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- Fn::Sub:
- '${documentBucket}/protected/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
- PolicyName: identity-pool-unauth-list-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource:
- Fn::Sub:
- '${documentBucket}/*'
- documentBucket: !ImportValue mydevDocumentBucketArn
Condition:
StringLike:
s3:prefix:
- 'public/'
- 'public/*'
- 'protected/'
- 'protected/*'
MyIdentityPoolRoleAtt:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref MyIdentityPool
Roles:
"authenticated": !GetAtt MyIdentityPoolAuthRole.Arn
"unauthenticated": !GetAtt MyIdentityPoolUnAuthRole.Arn
```
1 個解決方案
解決方案1
1 已采納 2020-05-09 16:41:39
對我來說,您的 Auth 和 Unauth 角色的信任策略似乎存在一些問題:
首先,角色允許的Action應該是sts:AssumeRoleWithWebIdentity而不是sts:AssumeRole 。
-
AssumeRole為現有 IAM 用戶提供額外的臨時權限。 AssumeRole 需要現有的有效 IAM 用戶憑證。 -
AssumeRoleWithWebIdentity向已通過某些 web 身份提供者(例如 Cognito 用戶池或 Facebook 等)身份驗證的應用用戶提供臨時憑據。
其次,您的信托政策的條件部分應如下所示:
Condition:
StringEquals:
cognito-identity.amazonaws.com:aud:
- !Ref MyIdentityPool
ForAnyValue:StringLike:
cognito-identity.amazonaws.com:amr:
- authenticated # or unauthenticated
cognito-identity.amazonaws.com:aud部分限制了將此角色分配給作為特定身份池成員的用戶,而您引用的是 S3 存儲桶的 arn。
僅可訪問特定S3存儲桶的IAM組的AWS CloudFormation模板
[英]AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket
Kube.netes 服務帳戶的跨帳戶 IAM 角色 - s3 存儲桶
[英]Cross account IAM roles for Kubernetes service account - s3 bucket
有沒有辦法使用 AWS Amplify 庫 (JavaScript) 在沒有認知用戶池和身份池的情況下訪問 s3 存儲桶?
[英]Is there a way to use AWS Amplify library (JavaScript) to access s3 bucket without cognito user poool and identity pool?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
CloudFormation、S3 存儲桶訪問跨賬戶 IAM 角色
僅可訪問特定S3存儲桶的IAM組的AWS CloudFormation模板
PySpark 使用 IAM 角色訪問 S3
使用cloudformation更新S3存儲桶的IAM策略
CloudFormation Lambda S3存儲桶訪問被拒絕
Kube.netes 服務帳戶的跨帳戶 IAM 角色 - s3 存儲桶
Amazon S3 IAM用戶無法訪問S3存儲桶
有沒有辦法使用 AWS Amplify 庫 (JavaScript) 在沒有認知用戶池和身份池的情況下訪問 s3 存儲桶?
Spark + S3 + IAM 角色
使用IAM角色限制對s3存儲桶的訪問
相關標簽