[英]Not able to give a Cognito User access on a certain S3 bucket
我有一個用戶池和一個身份池,我在身份池中為身份驗證用戶提供的角色具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket123",
"arn:aws:s3:::testbucket456",
"arn:aws:s3:::testbucket987"
]
}
]
}
我使用 Web Identity 創建了一個名為Role_testbucket456_User_X
的新角色,並添加了一個條件,其中cognito-identity.amazonaws.com:sub
是 stringEquals to 8e23d688-1f28-445c-8966-fdcb967c8e3c
,並附加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
然后我將具有子8e23d688-1f28-445c-8966-fdcb967c8e3c
的 Cognito 用戶 Y 添加到名為testbucket456_Users
的 Cognito 用戶池組
然后將角色Role_testbucket456_User_X
附加到這個組testbucket456_Users
我期望的是,除了具有子8e23d688-1f28-445c-8966-fdcb967c8e3c
的用戶 Y 能夠訪問testbucket456
存儲桶上的讀/寫之外,沒有任何 Cognito 用戶對任何 S3 存儲桶具有讀/寫訪問權限。 但不幸的是,這並沒有奏效。
因此,我已將以下存儲桶策略添加到testbucket456
存儲桶中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
但這仍然沒有用,每當我嘗試調用此方法時,我仍然遇到訪問被拒絕的問題:
const listObjectParams = {
Bucket: 'testbucket456',
};
s3.listObjects(listObjectParams, (err: any, data: any) => {
if (err) {
console.log(err);
return;
}
console.log(data);
console.log(`Successfully listed objects in `);
});
當我將testbucket456
存儲桶的策略設置為
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
然后我可以使用 Cognito 用戶訪問(列出對象)存儲桶,我認為問題出在存儲桶的策略本身,特別是在Principal
字段中。
可能的問題
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
像下面這樣:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket456"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
]
}
有人可以確認嗎?
這個答案就是解決方案,我不得不更改賦予 Cognito 用戶的默認角色
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.