![](/img/trans.png)
[英]AWS timestream-write gets "An error occurred (AccessDeniedException) when calling the DescribeEndpoints operation: This operation is not allowed."
[英]AccessDeniedException for the action that is allowed to a role by a policy on AWS timestream
我正在嘗試從 web 應用程序讀取時間流數據以供公眾使用。 我遵循了 AWS 的本教程,以允許任何用戶在 web 瀏覽器上查看數據。 之后,由於發現端點失敗,我關注了這個 github 問題。
我現在遇到的問題是它現在返回這些錯誤。
POST https://query.timestream.us-west-2.amazonaws.com/ 403 (Forbidden)
Uncaught (in promise) AccessDeniedException:
User: arn:aws:sts::<number here>:assumed-role/Cognito_izunumaUnauth_Role/CognitoIdentityCredentials
is not authorized to perform: timestream:DescribeEndpoints because no session policy allows
the timestream:DescribeEndpoints action
我已經將策略附加到Cognito_izunumaUnauth_Role
以允許 timestream timestream:DescribeEndpoints
並檢查它是否適用於 IAM 上的模擬器,所以我不知道如何解決此錯誤。
現在我的 React 應用程序中的代碼看起來像這樣。
import * as AWS from "@aws-sdk/client-timestream-query";
import { CognitoIdentityClient } from "@aws-sdk/client-cognito-identity";
import {
fromCognitoIdentityPool,
} from "@aws-sdk/credential-provider-cognito-identity";
import {useEffect} from 'react';
function App() {
useEffect(()=>{
(async () => {
const endpointsQueryClient = new AWS.TimestreamQuery({
region: "us-west-2",
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: "us-west-2" }),
identityPoolId: "<IDENTITY_POOL_ID>",
})
});
const qClientResponse = await endpointsQueryClient.describeEndpoints({});
console.log(qClientResponse);
const queryClient = new AWS.TimestreamQuery({
region: "us-west-2",
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: "us-west-2" }),
identityPoolId: "<IDENTITY_POOL_ID>",
}),
endpoint: `https://${qClientResponse.Endpoints[0].Address}`,
});
const QueryString = `SELECT * FROM solarpanel_test.solarpanel_test WHERE time between ago(30000m) and now() ORDER BY time DESC LIMIT 200`;
console.log(await queryClient.query({ QueryString }));
})()
},[])
return (
<div className="App">
<header className="App-header">
<img src={logo} className="App-logo" alt="logo" />
<p>
Edit <code>src/App.js</code> and save to reload.
</p>
<a
className="App-link"
href="https://reactjs.org"
target="_blank"
rel="noopener noreferrer"
>
Learn React
</a>
</header>
</div>
);
}
export default App;
我是 AWS 的新手,所以任何建議都會有所幫助。
我理解您的擔憂,aws 對每個操作都有細粒度的策略。
一個用於描述端點,另一個用於 select,然后另一個用於 preparequery 等等......
您還需要在此處添加 SELECT 策略。
在描述終點后,您正在運行 select 查詢。 讀取策略有近 7 個動作。 而 DescribePolicies (describeEndpoint/ ListDatabases) 只是列出數據庫/表,而不是讀取數據。
這是我遇到的確切問題,我認為這是關於授權的問題,是的,這是完全正確的,但是,這個錯誤是指你的角色,所以我們在這里使用 STSClient,首先發送並使用該角色憑據來使用另一個aws的特點
const params = {
RoleArn: "<role>",
RoleSessionName: "<name>",
};
const clientRole = new STSClient({
region: "us-west-2",
credentials: aws_creds,
});
const roleCommand = new AssumeRoleCommand({
RoleArn: "<role>",
RoleSessionName: "<name>",
})
const role = await clientRole.send(roleCommand);
const role_creds = {
accessKeyId: role.Credentials.AccessKeyId,
secretAccessKey: role.Credentials.SecretAccessKey,
sessionToken: role.Credentials.SessionToken,
};
const query = `SELECT * FROM db.table ORDER BY column DESC LIMIT 5`;
const timestreamQuery = new TimestreamQueryClient({
region: "us-west-2",
credentials: role_creds,
});
const queryCommand = new QueryCommand({QueryString: query})
// use it like `timestreamQuery.send(queryCommand, (err, data)=> { ... })`
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.